OpenWebUI/docs
1
0
Fork 0
mirror of https://github.com/open-webui/docs synced 2025-05-19 10:52:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Refactored to individual pages

Browse Source
This commit is contained in:
turegjorup 2025-05-14 13:59:25 +02:00
parent d5c394d3eb
commit fa252f955a
4 changed files with 92 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
docs/features/workspace/groups.md Normal file
View File

@ -0,0 +1,74 @@
---
sidebar_position: 3
title: "🔐 Groups"
---
Groups allow administrators to
* assign permissions to multiple users at once, simplifying access management
* limit access to specific resources (Models, Tools, etc) by setting their access to "private" then opening access to specific groups
* Specify access to a resource for a group to either "read" or "write" (write access implies read)
:::info
Note that the permissions model is permissive. If a user is a member of two groups that define different permissions for a resource, the most permissive permission is applied.
:::
### Group Structure
Each group in Open WebUI contains:
* A unique identifier
* Name and description
* Owner/creator reference
* List of member user IDs
* Permission configuration
* Additional metadata
### Group Management
Groups can be:
* **Created manually** by administrators through the user interface
* **Synced automatically** from OAuth providers when `ENABLE_OAUTH_GROUP_MANAGEMENT` is enabled
* **Created automatically** from OAuth claims when both `ENABLE_OAUTH_GROUP_MANAGEMENT` and`ENABLE_OAUTH_GROUP_CREATION`
are enabled
### OAuth Group Integration
When OAuth group management is enabled, user group memberships are synchronized with groups received in OAuth claims:
* Users are added to Open WebUI groups that match their OAuth claims
* Users are removed from groups not present in their OAuth claims
* With `ENABLE_OAUTH_GROUP_CREATION` enabled, groups from OAuth claims that don't exist in Open WebUI are automatically
created
## Group Permissions
Groups can be used to make sets of permissions available to users. For example, a group could be created for "Data
Scientists" that has read and write access to all models, knowledge bases, and tools.
## Resource Access Control for Groups
Open WebUI implements granular access control for resources like models, knowledge bases, prompts, and tools. Access can
be controlled at both the user and group level.
To enable access control for a resource, set its access to "private" and then open access to specific groups.
### Access Control Structure
Resources like knowledge bases use an access control structure that specifies read and write permissions for both users
and groups:
```json
{
"read": {
"group_ids": ["group_id1", "group_id2"],
"user_ids": ["user_id1", "user_id2"]
},
"write": {
"group_ids": ["group_id1", "group_id2"],
"user_ids": ["user_id1", "user_id2"]
}
}
```
This structure allows for precise control over who can view and modify specific resources.

11
docs/features/workspace/index.mdx
View File

@ -5,10 +5,17 @@ title: "🖥️ Workspace"
The Workspace in Open WebUI provides a comprehensive environment for managing your AI interactions and configurations. It consists of several key components:
## Resources
- [🤖 Models](./models.md) - Create and manage custom models tailored to specific purposes
- [🧠 Knowledge](./knowledge.md) - Manage your knowledge bases for retrieval augmented generation
- [📚 Prompts](./prompts.md) - Create and organize reusable prompts
- [‍💻 Roles, Groups and Permissions](./roles-groups-permissions.md) - Work with roles, groups and permissions to manage access to your Workspace
- [🔒 Permissions](./permissions.md) - Configure access controls and feature availability
Each section of the Workspace is designed to give you fine-grained control over your Open WebUI experience, allowing for customization and optimization of your AI interactions.
## Access Control
- [‍🔑 Roles](./roles.md) - The roles defined in Open WebUI
- [‍🔐 Groups](./groups.md) - Setup groups of users to share access to resources
- [🔒 Permissions](./permissions.md) - Configure access controls and feature availability
Roles, groups and permissions are designed to work together to provide a finegrained model for controlling user access to individual resources.

8
docs/features/workspace/permissions.md
View File

@ -5,6 +5,12 @@ title: "🔒 Permissions"
The `Permissions` section of the `Workspace` within Open WebUI allows administrators to configure access controls and feature availability for users. This powerful system enables fine-grained control over what users can access and modify within the application.
Administrators can manage permissions in the following ways:
1. **User Interface:** The Workspace's Permissions section provides a graphical interface for configuring permissions.
2. **Environment Variables:** Permissions can be set using environment variables, which are stored as `PersistentConfig` variables.
3. **Group Management:** Assigning users to groups with predefined permissions.
## Workspace Permissions
Workspace permissions control access to core components of the Open WebUI platform:
@ -56,6 +62,8 @@ By default, Open WebUI applies the following permission settings:
- Code Interpreter: Enabled (`USER_PERMISSIONS_FEATURES_CODE_INTERPRETER`)
- Direct Tool Servers: Disabled (`USER_PERMISSIONS_FEATURES_DIRECT_TOOL_SERVERS=False`)
Administrators can change the default permissions in the user interface under "users" in the admin panel.
## Managing Permissions
Administrators can adjust these permissions through the user interface or by setting the corresponding environment variables in the configuration. All permission-related environment variables are marked as `PersistentConfig` variables, meaning they are stored internally after the first launch and can be managed through the Open WebUI interface.

55
docs/features/workspace/roles-groups-permissions.md → docs/features/workspace/roles.md
View File

@ -1,17 +1,8 @@
---
sidebar_position: 3
title: "👩‍💻 Roles, Groups and Permissions"
title: "🔑 Roles"
---
Open WebUI provides a comprehensive and flexible user management system with role-based access control and fine-grained
permissions. Administrators have granular control over user access, while integration with external authentication
providers enables seamless incorporation into existing identity infrastructure.
The role-based model with fine-grained permissions ensures that users only have access to the features and resources
appropriate for their role, maintaining security while providing flexibility for different deployment scenarios.
## User Roles
Open WebUI implements a structured role-based access control system with three primary user roles:
| **Role** | **Description** | **Default Creation** |
@ -71,47 +62,3 @@ When OAuth group management is enabled, user group memberships are synchronized
* Users are removed from groups not present in their OAuth claims
* With `ENABLE_OAUTH_GROUP_CREATION` enabled, groups from OAuth claims that don't exist in Open WebUI are automatically
created
## Permission Framework
Open WebUI implements a comprehensive [permission system](./permissions.md) divided into three main categories:
1. Workspace Permissions
2. Chat Permissions
3. Features Permissions
Administrators can configure permissions for each category individually and configure the default permissions for each
category.
## Resource Access Control
Open WebUI implements granular access control for resources like models, knowledge bases, prompts, and tools. Access can
be controlled at both the user and group level.
### Access Control Structure
Resources like knowledge bases use an access control structure that specifies read and write permissions for both users
and groups:
```json
{
"read": {
"group_ids": ["group_id1", "group_id2"],
"user_ids": ["user_id1", "user_id2"]
},
"write": {
"group_ids": ["group_id1", "group_id2"],
"user_ids": ["user_id1", "user_id2"]
}
}
```
This structure allows for precise control over who can view and modify specific resources.
## Managing Permissions
Administrators can manage permissions in the following ways:
1. **User Interface:** The Workspace's Permissions section provides a graphical interface for configuring permissions.
2. **Environment Variables:** Permissions can be set using environment variables, which are stored as `PersistentConfig` variables.
3. **Group Management:** Assigning users to groups with predefined permissions.