Skip to main content
Go to documentation:
⌘U
Weaviate Database

Develop AI applications using Weaviate's APIs and tools

Deploy

Deploy, configure, and maintain Weaviate Database

Weaviate Agents

Build and deploy intelligent agents with Weaviate

Weaviate Cloud

Manage and scale Weaviate in the cloud

Additional resources

Academy
Integrations
Contributor guide
Events & Workshops

Need help?

Weaviate LogoAsk AI Assistant⌘K
Community Forum

Manage groups

Added in v1.33

When using OIDC for authentication, you can leverage user groups defined in your identity provider (like Keycloak, Okta, or Auth0) to manage permissions in Weaviate. The user's group memberships are passed to Weaviate in the OIDC token.

You can then assign Weaviate roles directly to these OIDC groups. Any user who is a member of that group will automatically inherit the permissions of the assigned roles. This is a powerful way to manage access for large teams without assigning roles to each user individually.

On this page, you will find examples of how to programmatically manage OIDC groups and their associated roles.

Group management

Assign roles to an OIDC group

You can assign one or more Weaviate roles to an OIDC group. Any user belonging to this group will inherit the roles' permissions.

This example assigns the testRole and viewer roles to the /admin-group.

admin_client.groups.oidc.assign_roles(
    group_id="/admin-group", role_names=["testRole", "viewer"]
)
py docs  API docs

Revoke roles from an OIDC group

You can revoke one or more roles from a specific OIDC group.

This example removes the testRole and viewer roles from the /admin-group.

admin_client.groups.oidc.revoke_roles(
    group_id="/admin-group", role_names=["testRole", "viewer"]
)
py docs  API docs

List roles assigned to an OIDC group

Retrieve a list of all roles that have been assigned to a specific OIDC group.

group_roles = oidc_admin_client.groups.oidc.get_assigned_roles(
    group_id="/admin-group", include_permissions=True
)
print(f"Roles assigned to '/admin-group': {list(group_roles.keys())}")
py docs  API docs
Example results
Roles assigned to '/admin-group': ['testRole', 'viewer']

List all known OIDC groups

This example shows how to get a list of all OIDC groups that Weaviate is aware of. Weaviate learns about a group when a role is first assigned to it.

known_groups = admin_client.groups.oidc.get_known_group_names()
print(f"Known OIDC groups ({len(known_groups)}): {known_groups}")
py docs  API docs
Example results
Known OIDC groups (3): ['/viewer-group', '/admin-group', '/my-test-group']

List groups assigned to a role

Retrieve a list of all groups that have been assigned a specific role.

This example shows which groups have the testRole assigned to them.

group_assignments = admin_client.roles.get_group_assignments(role_name="testRole")
print(f"Groups assigned to role 'testRole':")
for group in group_assignments:
    print(f"  - Group ID: {group.group_id}, Type: {group.group_type}")
py docs  API docs
Example results
Groups assigned to role 'testRole':
  - Group ID: /admin-group, Type: oidc

Further resources

Questions and feedback

If you have any questions or feedback, let us know in the user forum.

Technical questions

If you have questions feel free to post on our Community forum.

Documentation feedback

Leave feedback by opening a GitHub issue.