Role-Based Access Control (RBAC)
Open WebUI implements a flexible and secure Role-Based Access Control (RBAC) system. This system allows administrators to precisely manage user capabilities and access to resources through three interconnected layers:
- Roles: The high-level user type (Admin, User, Pending). This defines the baseline trust level.
- Permissions: Granular feature flags (e.g., "Can Delete Chats", "Can Use Web Search").
- Groups: The mechanism for organizing users, granting additional permissions, and managing shared access to resources (ACLs). Resources can also be shared directly to individual users.
The security model is Additive. Users start with their default rights, and Group memberships add capabilities. A user effectively has the union of all rights granted by their Roles and Groups.
RBAC controls what users can do inside Open WebUI (features, resources, and UI/API actions).
RBAC does not replace least-privilege configuration for external providers. If you connect an OpenAI-compatible proxy/provider (for example LiteLLM, OpenRouter, or custom gateways), use provider credentials that are scoped for inference usage in your deployment.
Avoid configuring management/master keys for general user traffic unless your deployment explicitly requires that level of trust.
Documentation Guide
-
- Understand the difference between Admins and Users.
- Learn about Admin limitations and security/privacy configurations.
-
- Explore the full list of available permission toggles.
- Understand granular controls for Chat, Workspace, and Features.
- Security Tip: Learn how properly configured Global Defaults protect your system.
-
- Learn how to structure teams and projects.
- Strategy: Distinguish between "Permission Groups" (for rights) and "Sharing Groups" (for access).
- Manage Access Control Lists (ACLs) for private Models and Knowledge — share with groups or individual users.