Manage groups
v1.33When using OIDC for authentication, you can leverage user groups defined in your identity provider (like Keycloak, Okta, or Auth0) to manage permissions in Weaviate. The user's group memberships are passed to Weaviate in the OIDC token.
You can then assign Weaviate roles directly to these OIDC groups. Any user who is a member of that group will automatically inherit the permissions of the assigned roles. This is a powerful way to manage access for large teams without assigning roles to each user individually.
On this page, you will find examples of how to programmatically manage OIDC groups and their associated roles.
Group management
Assign roles to an OIDC group
You can assign one or more Weaviate roles to an OIDC group. Any user belonging to this group will inherit the roles' permissions.
This example assigns the testRole and viewer roles to the /admin-group.
API docsIf a snippet doesn't work or you have feedback, please open a GitHub issue.
admin_client.groups.oidc.assign_roles(
group_id="/admin-group", role_names=["testRole", "viewer"]
)
Revoke roles from an OIDC group
You can revoke one or more roles from a specific OIDC group.
This example removes the testRole and viewer roles from the /admin-group.
API docsIf a snippet doesn't work or you have feedback, please open a GitHub issue.
admin_client.groups.oidc.revoke_roles(
group_id="/admin-group", role_names=["testRole", "viewer"]
)
List roles assigned to an OIDC group
Retrieve a list of all roles that have been assigned to a specific OIDC group.
API docsIf a snippet doesn't work or you have feedback, please open a GitHub issue.
group_roles = oidc_admin_client.groups.oidc.get_assigned_roles(
group_id="/admin-group", include_permissions=True
)
print(f"Roles assigned to '/admin-group': {list(group_roles.keys())}")
Example results
Roles assigned to '/admin-group': ['testRole', 'viewer']
List all known OIDC groups
This example shows how to get a list of all OIDC groups that Weaviate is aware of. Weaviate learns about a group when a role is first assigned to it.
API docsIf a snippet doesn't work or you have feedback, please open a GitHub issue.
known_groups = admin_client.groups.oidc.get_known_group_names()
print(f"Known OIDC groups ({len(known_groups)}): {known_groups}")
Example results
Known OIDC groups (3): ['/viewer-group', '/admin-group', '/my-test-group']
List groups assigned to a role
Retrieve a list of all groups that have been assigned a specific role.
This example shows which groups have the testRole assigned to them.
API docsIf a snippet doesn't work or you have feedback, please open a GitHub issue.
group_assignments = admin_client.roles.get_group_assignments(role_name="testRole")
print(f"Groups assigned to role 'testRole':")
for group in group_assignments:
print(f" - Group ID: {group.group_id}, Type: {group.group_type}")
Example results
Groups assigned to role 'testRole':
- Group ID: /admin-group, Type: oidc
Further resources
Questions and feedback
If you have any questions or feedback, let us know in the user forum.
If you have questions feel free to post on our Community forum.
Leave feedback by opening a GitHub issue.