rbac: clean up roles and permissions

[gergosimonyi]

This was purposefully not included in 2025.12 to split the changes up.

The main content of this patch is in the migrations. Everything else follows more or less automatically.

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	9424a05
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/697b96c760882300081131d2
😎 Deploy Preview	https://deploy-preview-19588--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	9424a05
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/697b96c7063f230008af8585
😎 Deploy Preview	https://deploy-preview-19588--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	9424a05
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/697b96c70a77b80008b7c0e3
😎 Deploy Preview	https://deploy-preview-19588--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[gergosimonyi]

This change (and its analogue over at schema.yml) was automatically included when I ran make gen. I'll leave it in.

[codecov]

Codecov Report

❌ Patch coverage is 88.67925% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.26%. Comparing base (387a3ef) to head (9424a05).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
authentik/outposts/models.py	0.00%	3 Missing ⚠️
authentik/providers/ldap/models.py	0.00%	3 Missing ⚠️
authentik/providers/radius/models.py	0.00%	3 Missing ⚠️
...ik/enterprise/providers/google_workspace/models.py	0.00%	1 Missing ⚠️
...tik/enterprise/providers/microsoft_entra/models.py	0.00%	1 Missing ⚠️
authentik/rbac/api/roles.py	66.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #19588      +/-   ##
==========================================
+ Coverage   93.19%   93.26%   +0.06%     
==========================================
  Files         968      968              
  Lines       53307    53331      +24     
==========================================
+ Hits        49682    49738      +56     
+ Misses       3625     3593      -32     

Flag	Coverage Δ
conformance	38.07% <16.03%> (-0.02%)	⬇️
e2e	44.08% <30.18%> (+1.05%)	⬆️
integration	22.92% <13.20%> (-0.01%)	⬇️
unit	91.41% <87.73%> (+<0.01%)	⬆️
unit-migrate	91.43% <87.73%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9424a051a2c2d5e770b9930516bafad1ee8e29d4
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-9424a051a2c2d5e770b9930516bafad1ee8e29d4

Afterwards, run the upgrade commands from the latest release notes.

[BeryJu]

We might want some sort of proxy for the old field as its probably used in policies quite frequently, something that'll log an event when used.

[gergosimonyi]

I thought this deserved its own EventAction, see 6fc2469 for my first pass on implementing this.

[BeryJu]

Suggested change

	DEPRECATION_USED = "deprecation_used"
	CONFIGURATION_WARNING = "configuration_warning"

Should make it a bit more re-usable for other things

[dominic-r]

lgtm for docs

[BeryJu]

Looks good, added one small comment to the release notes to tell people the old one is deprecated but will still work.

One other thing I suggest for this is splitting out the changes to integrations since those are not deployed from the version branch and as such will go live as soon as this is merged, so we should separate that and only merge it once this is out. (Or maybe even later since .ak_groups will still work)