Skip to main content
Open WebUI provides comprehensive role-based access control (RBAC) to manage user permissions, group access, and resource sharing across your organization.

User Roles

Open WebUI supports four primary user roles:
RoleDescriptionCapabilities
adminSuper AdministratorFull system access, user management, settings
userStandard UserAccess based on permissions and group membership
pendingPending ApprovalLimited access until activated by admin

Default User Role

Configure the default role for new users: 
# Default role for new signups
DEFAULT_USER_ROLE=pending  # Options: user, pending
Set to pending to require admin approval for new accounts.

Group-Based Access Control

Groups enable organizing users and managing shared resources:

Creating Groups

Groups can be created:
  • Manually - By administrators via UI or API
  • LDAP Sync - Automatically from Active Directory groups
  • SCIM Provisioning - From identity provider group assignments
  • OAuth Mapping - From OAuth group claims

Group Configuration

# Default group for new users
DEFAULT_GROUP_ID=group-uuid-here

# OAuth group management
ENABLE_OAUTH_GROUP_MANAGEMENT=true
ENABLE_OAUTH_GROUP_CREATION=true
OAUTH_GROUP_DEFAULT_SHARE=true  # or 'members'

# LDAP group management
ENABLE_LDAP_GROUP_MANAGEMENT=true
ENABLE_LDAP_GROUP_CREATION=true
LDAP_ATTRIBUTE_FOR_GROUPS=memberOf

User Permissions

Open WebUI provides granular permission control across multiple categories:

Workspace Permissions

Control access to workspace resources: 
# Access to workspace features
USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS=false
USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ACCESS=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_ACCESS=false
USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS=false
USER_PERMISSIONS_WORKSPACE_SKILLS_ACCESS=false

# Import/Export permissions
USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT=false
USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_IMPORT=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_EXPORT=false
USER_PERMISSIONS_WORKSPACE_TOOLS_IMPORT=false
USER_PERMISSIONS_WORKSPACE_TOOLS_EXPORT=false

Sharing Permissions

Control resource sharing capabilities: 
# Allow users to share resources
USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_SHARING=false
USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ALLOW_SHARING=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_SHARING=false
USER_PERMISSIONS_WORKSPACE_TOOLS_ALLOW_SHARING=false
USER_PERMISSIONS_WORKSPACE_SKILLS_ALLOW_SHARING=false

# Allow public sharing (to all users)
USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING=false
USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ALLOW_PUBLIC_SHARING=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_PUBLIC_SHARING=false
USER_PERMISSIONS_WORKSPACE_TOOLS_ALLOW_PUBLIC_SHARING=false
USER_PERMISSIONS_WORKSPACE_SKILLS_ALLOW_PUBLIC_SHARING=false

# Notes sharing
USER_PERMISSIONS_NOTES_ALLOW_SHARING=false
USER_PERMISSIONS_NOTES_ALLOW_PUBLIC_SHARING=false

Chat Permissions

Control chat functionality: 
# Chat controls and settings
USER_PERMISSIONS_CHAT_CONTROLS=true
USER_PERMISSIONS_CHAT_VALVES=true
USER_PERMISSIONS_CHAT_SYSTEM_PROMPT=true
USER_PERMISSIONS_CHAT_PARAMS=true

# File handling
USER_PERMISSIONS_CHAT_FILE_UPLOAD=true
USER_PERMISSIONS_CHAT_WEB_UPLOAD=true

# Chat actions
USER_PERMISSIONS_CHAT_DELETE=true
USER_PERMISSIONS_CHAT_DELETE_MESSAGE=true
USER_PERMISSIONS_CHAT_CONTINUE_RESPONSE=true
USER_PERMISSIONS_CHAT_REGENERATE_RESPONSE=true
USER_PERMISSIONS_CHAT_RATE_RESPONSE=true
USER_PERMISSIONS_CHAT_EDIT=true
USER_PERMISSIONS_CHAT_SHARE=true
USER_PERMISSIONS_CHAT_EXPORT=true

# Audio/Video
USER_PERMISSIONS_CHAT_STT=true  # Speech-to-text
USER_PERMISSIONS_CHAT_TTS=true  # Text-to-speech
USER_PERMISSIONS_CHAT_CALL=true  # Video/voice calls

# Advanced features
USER_PERMISSIONS_CHAT_MULTIPLE_MODELS=true
USER_PERMISSIONS_CHAT_TEMPORARY=true
USER_PERMISSIONS_CHAT_TEMPORARY_ENFORCED=false  # Force temporary chats only

Feature Permissions

# General features
USER_PERMISSIONS_FEATURES_API_KEYS=false  # Allow API key creation
USER_PERMISSIONS_FEATURES_NOTES=true
USER_PERMISSIONS_FEATURES_FOLDERS=true
USER_PERMISSIONS_FEATURES_CHANNELS=true
USER_PERMISSIONS_FEATURES_MEMORIES=true

# Advanced features
USER_PERMISSIONS_FEATURES_WEB_SEARCH=true
USER_PERMISSIONS_FEATURES_IMAGE_GENERATION=true
USER_PERMISSIONS_FEATURES_CODE_INTERPRETER=true
USER_PERMISSIONS_FEATURES_DIRECT_TOOL_SERVERS=false

Settings Permissions

# Access to settings interface
USER_PERMISSIONS_SETTINGS_INTERFACE=true

Access Grants

# Allow granting access to other users
USER_PERMISSIONS_ACCESS_GRANTS_ALLOW_USERS=true

Admin Permissions

Admin Access Controls

# Admin content access
ENABLE_ADMIN_EXPORT=true
ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS=true
BYPASS_ADMIN_ACCESS_CONTROL=true  # Admins bypass all access controls
ENABLE_ADMIN_CHAT_ACCESS=true  # Admins can view all chats
ENABLE_ADMIN_ANALYTICS=true  # Access to analytics dashboard

Admin Visibility

# Show admin contact info on login page
SHOW_ADMIN_DETAILS=true
ADMIN_EMAIL=admin@company.com  # Displayed on login page

Model Access Control

Model-Level Permissions

# Bypass model access control (all users see all models)
BYPASS_MODEL_ACCESS_CONTROL=false
When false, model access is controlled via:
  • Group Assignments - Models can be assigned to specific groups
  • User Grants - Individual users can be granted model access
  • Admin Override - Admins always have access to all models

OAuth Role Mapping

Map OAuth provider roles to Open WebUI roles: 
# Enable role management from OAuth
ENABLE_OAUTH_ROLE_MANAGEMENT=true

# Role claim in OAuth token
OAUTH_ROLES_CLAIM=roles  # or 'groups', 'role', etc.
OAUTH_ROLES_SEPARATOR=,  # How roles are separated in claim

# Allowed roles (users must have one of these)
OAUTH_ALLOWED_ROLES=user,admin,member

# Admin roles (grant admin access)
OAUTH_ADMIN_ROLES=admin,superuser

Domain Restrictions

# Restrict OAuth logins to specific domains
OAUTH_ALLOWED_DOMAINS=company.com,subsidiary.com
# Use '*' to allow all domains
OAUTH_ALLOWED_DOMAINS=*

API Key Permissions

Enable API Keys

# Allow users to create API keys
ENABLE_API_KEYS=true

# Allow user-level API keys (requires permission)
USER_PERMISSIONS_FEATURES_API_KEYS=false  # Restrict to admins only

API Key Restrictions

# Restrict API keys to specific endpoints
ENABLE_API_KEYS_ENDPOINT_RESTRICTIONS=true

# Comma-separated list of allowed endpoints
API_KEYS_ALLOWED_ENDPOINTS=/api/chat,/api/models

Example: Restrictive Enterprise Configuration

# User Management
DEFAULT_USER_ROLE=pending  # Require approval
ENABLE_SIGNUP=false  # Disable self-registration

# Workspace - Read Only
USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS=true
USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ACCESS=true
USER_PERMISSIONS_WORKSPACE_PROMPTS_ACCESS=true
USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS=false
USER_PERMISSIONS_WORKSPACE_SKILLS_ACCESS=false

# No Imports/Exports for users
USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT=false
USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_IMPORT=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_EXPORT=false

# Limited Sharing
USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_SHARING=true
USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING=false
USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_SHARING=true
USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_PUBLIC_SHARING=false

# Chat Restrictions
USER_PERMISSIONS_CHAT_TEMPORARY=true
USER_PERMISSIONS_CHAT_TEMPORARY_ENFORCED=true  # Force all chats temporary
USER_PERMISSIONS_CHAT_EXPORT=false
USER_PERMISSIONS_CHAT_SHARE=false

# Disable Advanced Features
USER_PERMISSIONS_FEATURES_API_KEYS=false
USER_PERMISSIONS_FEATURES_CODE_INTERPRETER=false
USER_PERMISSIONS_FEATURES_DIRECT_TOOL_SERVERS=false

# Model Access Control
BYPASS_MODEL_ACCESS_CONTROL=false  # Enforce group-based access

# Admin Controls
BYPASS_ADMIN_ACCESS_CONTROL=true
ENABLE_ADMIN_CHAT_ACCESS=true

Example: Permissive Development Configuration

# User Management
DEFAULT_USER_ROLE=user
ENABLE_SIGNUP=true

# Full Workspace Access
USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS=true
USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ACCESS=true
USER_PERMISSIONS_WORKSPACE_PROMPTS_ACCESS=true
USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS=true
USER_PERMISSIONS_WORKSPACE_SKILLS_ACCESS=true

# Allow Import/Export
USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT=true
USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT=true

# Full Sharing
USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_SHARING=true
USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING=true

# All Chat Features
USER_PERMISSIONS_CHAT_TEMPORARY_ENFORCED=false
USER_PERMISSIONS_CHAT_EXPORT=true
USER_PERMISSIONS_CHAT_SHARE=true

# All Features Enabled
USER_PERMISSIONS_FEATURES_API_KEYS=true
USER_PERMISSIONS_FEATURES_CODE_INTERPRETER=true
USER_PERMISSIONS_FEATURES_WEB_SEARCH=true

# No Model Restrictions
BYPASS_MODEL_ACCESS_CONTROL=true

Docker Compose Example

version: '3'

services:
  open-webui:
    image: ghcr.io/open-webui/open-webui:main
    environment:
      # User Management
      - DEFAULT_USER_ROLE=pending
      - ENABLE_SIGNUP=false
      
      # Workspace Permissions
      - USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS=true
      - USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ACCESS=true
      - USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_SHARING=true
      - USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING=false
      
      # Chat Permissions
      - USER_PERMISSIONS_CHAT_EXPORT=false
      - USER_PERMISSIONS_CHAT_TEMPORARY_ENFORCED=true
      
      # Model Access Control
      - BYPASS_MODEL_ACCESS_CONTROL=false
      
      # Admin Settings
      - SHOW_ADMIN_DETAILS=true
      - ADMIN_EMAIL=admin@company.com
    volumes:
      - open-webui:/app/backend/data
    restart: always

volumes:
  open-webui:

Implementation Details

  • Permission configuration: backend/open_webui/config.py:1336-1671
  • Default permissions structure defined in DEFAULT_USER_PERMISSIONS
  • Permissions stored in database and synchronized via Redis in multi-instance deployments

Next Steps