Manage roles

Added in v1.29

Role-based access control (RBAC) is generally available in Weaviate from version v1.29.

In Weaviate, Role-based access control (RBAC) allows you to define roles and assign permissions to those roles. Users can then be assigned to roles and inherit the permissions associated with those roles.

On this page, you will find examples of how to manage roles and permissions with Weaviate client libraries.

Follow these general steps to configure RBAC:

1. Step 1. Connect to Weaviate with a user possessing

   role management permissions

   .

2. Step 2. Grant permissions to a

   new role

   or an

   existing role

   .

3. Step 3.

   Assign the role to a user

   .

Requirements for managing roles

Role management requires appropriate role resource permissions that can be obtained through:

• A predefined root role when configuring RBAC.
• A role with Role Management permissions granted.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

import weaviate
from weaviate.classes.init import Auth

# Connect to Weaviate as root user
client = weaviate.connect_to_local(
    auth_credentials=Auth.api_key("root-user-key"),
)

import weaviate, { WeaviateClient } from 'weaviate-client'

// Connect to Weaviate as root user
const client: WeaviateClient = await weaviate.connectToLocal({
    authCredentials: new weaviate.ApiKey("user-a-key")
})

cfg := weaviate.Config{
  Host:       "localhost:8580",
  Scheme:     "http",
  AuthConfig: auth.ApiKey{Value: "root-user-key"},
}

// Connect to Weaviate as root user
client, err := weaviate.NewClient(cfg)

String scheme = "http";
String host = "localhost";
String port = "8580"; // Custom port for RBAC testing

Config config = new Config(scheme, host + ":" + port);

client = WeaviateAuthClient.apiKey(config, "root-user-key");

Role management

Create new roles with permissions

Permissions for these resource types can be assigned to roles:

1. Role Management

2. User Management

3. Collections (collection definitions only, data object permissions are separate)

4. Tenants

5. Data Objects

6. Backup

7. Cluster Data Access

8. Node Data Access

9. Collection alias

10. Replications

11. Groups

Create a role with Role Management permissions

This example creates a role called testRole with permissions to:

• Create, read, update and delete all roles starting with testRole*.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions, RoleScope

permissions = [
    Permissions.roles(
        role="testRole*",  # Applies to all roles starting with "testRole"
        scope=RoleScope.MATCH,  # Only allow role management with the current user's permission level
        # scope=RoleScope.ALL   # Allow role management with all permissions
        create=True,  # Allow creating roles
        read=True,  # Allow reading roles
        update=True,  # Allow updating roles
        delete=True,  # Allow deleting roles
    )
]

client.roles.create(role_name="testRole", permissions=permissions)

const { permissions } = weaviate

const rolePermission = permissions.roles({
    role: "testRole",
    create: true,
    read: true,
    update: true,
    delete: true,
})

await client.roles.create("testRole", rolePermission)

permissions := []rbac.Permission{
  rbac.RolesPermission{
  	Role:  "testRole*", // Applies to all roles starting with "testRole"
  	Scope: "match",     // Only allow role management with the current user's permission level, can also be "all"
  	// Scope: rbac.RoleScopeAll, // Allow role management with all permissions
  	Actions: []string{
  		models.PermissionActionCreateRoles, // Allow creating roles
  		models.PermissionActionReadRoles,   // Allow reading roles
  		models.PermissionActionUpdateRoles, // Allow updating roles
  		models.PermissionActionDeleteRoles, // Allow deleting roles
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.roles(
        "testRole*", // Applies to all roles starting with "testRole"
        RolesPermission.Action.CREATE, // Allow creating roles
        RolesPermission.Action.READ, // Allow reading roles
        RolesPermission.Action.UPDATE, // Allow updating roles
        RolesPermission.Action.DELETE // Allow deleting roles
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with User Management permissions

This example creates a role called testRole with permissions to:

• Create, read, update and delete all users starting with testUser*.
• Assign and revoke roles to and from users starting with testUser*.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.users(
        user="testUser*",  # Applies to all users starting with "testUser"
        create=True,  # Allow creating users
        read=True,  # Allow reading user info
        update=True,  # Allow rotating user API key
        delete=True,  # Allow deleting users
        assign_and_revoke=True,  # Allow assigning and revoking roles to and from users
    )
]

client.roles.create(role_name="testRole", permissions=permissions)

const userPermission = permissions.users({
    user: "testRole",  // Applies to all users starting with "testUser"
    assignAndRevoke: true,  // Allow assigning and revoking roles to and from users
    read: true,  // Allow reading user info
})

await client.roles.create("testRole", userPermission)

permissions := []rbac.Permission{
  rbac.UsersPermission{
  	Actions: []string{
  		models.PermissionActionCreateUsers,          // Allow creating users
  		models.PermissionActionReadUsers,            // Allow reading user info
  		models.PermissionActionUpdateUsers,          // Allow rotating user API key
  		models.PermissionActionDeleteUsers,          // Allow deleting users
  		models.PermissionActionAssignAndRevokeUsers, // Allow assigning and revoking roles to and from users
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.users(
        UsersPermission.Action.CREATE, // Allow creating users
        UsersPermission.Action.READ, // Allow reading user info
        UsersPermission.Action.UPDATE, // Allow rotating user API key
        UsersPermission.Action.DELETE, // Allow deleting users
        UsersPermission.Action.ASSIGN_AND_REVOKE // Allow assigning and revoking roles
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Collections permissions

This example creates a role called testRole with permissions to:

• Create, read, update and delete all collections starting with TargetCollection.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.collections(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        create_collection=True,  # Allow creating new collections
        read_config=True,  # Allow reading collection info/metadata
        update_config=True,  # Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
        delete_collection=True,  # Allow deleting collections
    ),
]

client.roles.create(role_name="testRole", permissions=permissions)

const { permissions } = weaviate

const collectionPermissions = [
    permissions.collections({
        collection: "TargetCollection*",  // Applies to all collections starting with "TargetCollection"
        create_collection: true,  // Allow creating new collections
        read_config: true,  // Allow reading collection info/metadata
        update_config: true,  // Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
        delete_collection: true,  // Allow deleting collections
    }),
]

await client.roles.create("testRole", collectionPermissions)

permissions := []rbac.Permission{
  rbac.CollectionsPermission{
  	Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
  	Actions: []string{
  		models.PermissionActionCreateCollections, // Allow creating new collections
  		models.PermissionActionReadCollections,   // Allow reading collection info/metadata
  		models.PermissionActionUpdateCollections, // Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
  		models.PermissionActionDeleteCollections, // Allow deleting collections
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.collections(
        "TargetCollection*", // Applies to all collections starting with "TargetCollection"
        CollectionsPermission.Action.CREATE, // Allow creating new collections
        CollectionsPermission.Action.READ, // Allow reading collection info/metadata
        CollectionsPermission.Action.UPDATE, // Allow updating collection configuration
        CollectionsPermission.Action.DELETE // Allow deleting collections
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Tenant permissions

This example creates a role called testRole with permissions to:

• Create and delete tenants starting with TargetTenant in collections starting with TargetCollection.
• Read metadata (like tenant names and status) for tenants starting with TargetTenant in collections starting with TargetCollection.
• Update the status of tenants starting with TargetTenant in collections starting with TargetCollection.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.tenants(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        tenant="TargetTenant*",  # Applies to all tenants starting with "TargetTenant"
        create=True,  # Allow creating new tenants
        read=True,  # Allow reading tenant info/metadata
        update=True,  # Allow updating tenant states
        delete=True,  # Allow deleting tenants
    ),
]

client.roles.create(role_name="testRole", permissions=permissions)

const { permissions } = weaviate

const AddTenantPermissions = [
    permissions.tenants({
        collection: "TargetCollection*",  // Applies to all collections starting with "TargetCollection"
        tenant: "TargetTenant*",  // Applies to all tenants starting with "TargetTenant"
        create: true,  // Allow creating new tenants
        read: true,  // Allow reading tenant info/metadata
        update: true,  // Allow updating tenant states
        delete: true,  // Allow deleting tenants
    }),
]

await client.roles.create("testRole", AddTenantPermissions)

permissions := []rbac.Permission{
  rbac.TenantsPermission{
  	Actions: []string{
  		models.PermissionActionCreateTenants, // Allow creating new tenants
  		models.PermissionActionReadTenants,   // Allow reading tenant info/metadata
  		models.PermissionActionUpdateTenants, // Allow updating tenant states
  		models.PermissionActionDeleteTenants, // Allow deleting tenants
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.tenants(
        TenantsPermission.Action.CREATE, // Allow creating new tenants
        TenantsPermission.Action.READ, // Allow reading tenant info/metadata
        TenantsPermission.Action.UPDATE, // Allow updating tenant states
        TenantsPermission.Action.DELETE // Allow deleting tenants
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Data Objects permissions

This example creates a role called testRole with permissions to:

• Create, read, update and delete data from collections starting with TargetCollection.
• If multi-tenancy is enabled and the tenant filter is set, the permission only applies to tenants starting with TargetTenant.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.data(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        tenant="TargetTenant*",  # Applies to all tenants starting with "TargetTenant"
        create=True,  # Allow data inserts
        read=True,  # Allow query and fetch operations
        update=True,  # Allow data updates
        delete=False,  # Allow data deletes
    ),
]

client.roles.create(role_name="testRole", permissions=permissions)

const { permissions } = weaviate

const dataPermissions = [
    permissions.data({
        collection: "TargetCollection*",  // Applies to all collections starting with "TargetCollection"
        tenant: "TargetTenant*",  // Applies to all tenants starting with "TargetTenant"
        create: true,  // Allow data inserts
        read: true,  // Allow query and fetch operations
        update: true,  // Allow data updates
        delete: false,  // Allow data deletes
    }),
]

await client.roles.create("testRole", dataPermissions)

permissions := []rbac.Permission{
  rbac.DataPermission{
  	Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
  	Actions: []string{
  		models.PermissionActionCreateData, // Allow data inserts
  		models.PermissionActionReadData,   // Allow query and fetch operations
  		models.PermissionActionUpdateData, // Allow data updates
  		// models.PermissionActionDeleteData, // Allow data deletes - set to false by not including
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.data(
        "TargetCollection*", // Applies to all collections starting with "TargetCollection"
        DataPermission.Action.CREATE, // Allow data inserts
        DataPermission.Action.READ, // Allow query and fetch operations
        DataPermission.Action.UPDATE // Allow data updates
    // Note: DELETE is not included, similar to Python example
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Backups permissions

This example creates a role called testRole with permissions to:

• Manage backups for collections starting with TargetCollection.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.backup(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        manage=True,  # Allow managing backups
    ),
]

client.roles.create(role_name="testRole", permissions=permissions)

const { permissions } = weaviate

const backupsPermissions = [
    permissions.backup({
        collection: "TargetCollection*",  // Applies to all collections starting with "TargetCollection"
        manage: true,  // Allow managing backups
    }),
]

await client.roles.create("testRole", backupsPermissions)

permissions := []rbac.Permission{
  rbac.BackupsPermission{
  	Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
  	Actions: []string{
  		models.PermissionActionManageBackups, // Allow managing backups
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.backups(
        "TargetCollection*", // Applies to all collections starting with "TargetCollection"
        BackupsPermission.Action.MANAGE // Allow managing backups
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Cluster Data Access permissions

This example creates a role called testRole with permissions to:

• Read cluster metadata.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.cluster(read=True),  # Allow reading cluster data
]

client.roles.create(role_name="testRole", permissions=permissions)

const { permissions } = weaviate

const clusterPermissions = [
    permissions.cluster({
        read: true // Allow reading cluster data
    }),
]

await client.roles.create("testRole", clusterPermissions)

permissions := []rbac.Permission{
  rbac.ClusterPermission{
  	Actions: []string{
  		models.PermissionActionReadCluster, // Allow reading cluster data
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.cluster(ClusterPermission.Action.READ) // Allow reading cluster data
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Node Data Access permissions

This example creates a role called testRole with permissions to:

• Read node metadata at the specified verbosity level for collections starting with TargetCollection.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

verbose_permissions = [
    Permissions.Nodes.verbose(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        read=True,  # Allow reading node metadata
    ),
]

# The `minimal` verbosity level applies to all collections unlike
# the `verbose` level where you specify the collection name filter
minimal_permissions = [
    Permissions.Nodes.minimal(
        read=True,  # Allow reading node metadata
    ),
]

client.roles.create(
    role_name="testRole", permissions=verbose_permissions
)  # or `minimal_permissions`

const { permissions } = weaviate

const verboseNodePermissions = [
    permissions.nodes.verbose({
        collection: "TargetCollection*",  // Applies to all collections starting with "TargetCollection"
        read: true,  // Allow reading node metadata
    }),
]

// The `minimal` verbosity level applies to all collections unlike
// the `verbose` level where you specify the collection name filter
const minimalNodePermissions = [
    permissions.nodes.minimal({
        read: true,  // Allow reading node metadata
    }),
]

await client.roles.create("testRole", verboseNodePermissions)  // or `minimalNodePermissions`

verbosePermissions := []rbac.Permission{
  rbac.NodesPermission{
  	Verbosity:  "verbose",
  	Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
  	Actions: []string{
  		models.PermissionActionReadNodes, // Allow reading node metadata
  	},
  },
}

// The `minimal` verbosity level applies to all collections unlike
// the `verbose` level where you specify the collection name filter
err = client.Roles().Creator().WithRole(
  rbac.NewRole("testRole", verbosePermissions...),
).Do(ctx)

// Verbose permissions - applies to specific collections
Permission<?>[] verbosePermissions = new Permission<?>[] {
    Permission.nodes(
        "TargetCollection*", // Applies to all collections starting with "TargetCollection"
        NodesPermission.Action.READ // Allow reading node metadata
    )
};

// Minimal permissions - applies to all collections
Permission<?>[] minimalPermissions = new Permission<?>[] {
    Permission.nodes(
        "*", // Applies to all collections
        NodesPermission.Action.READ // Allow reading node metadata
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(verbosePermissions) // or minimalPermissions
    .run();

Create a role with Collection Alias permissions

This example creates a role called testRole with permissions to:

• Create, read, update and delete collection aliases starting with TargetAlias.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.alias(
        alias="TargetAlias*",  # Applies to all aliases starting with "TargetAlias"
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        create=True,  # Allow alias creation
        read=True,  # Allow listing aliases
        update=True,  # Allow updating aliases
        delete=False,  # Allow deleting aliases
    ),
]

client.roles.create(role_name="testRole", permissions=permissions)

const aliasPermissions = [
    permissions.aliases({
        alias: "TargetAlias*",  // Applies to all aliases starting with "TargetAlias"
        collection: "TargetCollection*",  // Applies to all collections starting with "TargetCollection"
        create: true,  // Allow alias creation
        read: true,  // Allow listing aliases
        update: true,  // Allow updating aliases
        delete: false,  // Allow deleting aliases
    }),
]

await client.roles.create("testRole", aliasPermissions)

permissions := []rbac.Permission{
  rbac.AliasPermission{
  	Alias:      "TargetAlias*",      // Applies to all aliases starting with "TargetAlias"
  	Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
  	Actions: []string{
  		models.PermissionActionCreateAliases, // Allow alias creation
  		models.PermissionActionReadAliases,   // Allow listing aliases
  		models.PermissionActionUpdateAliases, // Allow updating aliases
  		// models.PermissionActionDeleteAliases, // Allow deleting aliases - set to false by not including
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.alias(
        "TargetAlias*", // Applies to all aliases starting with "TargetAlias"
        "TargetCollection*", // Applies to all collections starting with "TargetCollection"
        AliasPermission.Action.CREATE, // Allow alias creation
        AliasPermission.Action.READ, // Allow listing aliases
        AliasPermission.Action.UPDATE // Allow updating aliases
    // Note: DELETE is not included, similar to Python example
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Replications permissions

This example creates a role called testRole with permissions to:

• Create, read, update and delete replica movement operations for collections starting with TargetCollection and shards starting with TargetShard.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.replicate(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        shard="TargetShard*",  # Applies to all shards starting with "TargetShard"
        create=True,  # Allow replica movement operations
        read=True,  # Allow retrieving replication status
        update=True,  # Allow cancelling replication operations
        delete=False,  # Allow deleting replication operations
    ),
]

client.roles.create(role_name="testRole", permissions=permissions)

// TS/JS support coming soon

permissions := []rbac.Permission{
  rbac.ReplicatePermission{
  	Collection: "TargetCollection*", // Applies to all collections starting with "TargetCollection"
  	Shard:      "TargetShard*",      // Applies to all shards starting with "TargetShard"
  	Actions: []string{
  		models.PermissionActionCreateReplicate, // Allow replica movement operations
  		models.PermissionActionReadReplicate,   // Allow retrieving replication status
  		models.PermissionActionUpdateReplicate, // Allow cancelling replication operations
  		// models.PermissionActionDeleteReplicate, // Allow deleting replication operations - set to false by not including
  	},
  },
}

err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.replicate(
        "TargetCollection*", // Applies to all collections starting with "TargetCollection"
        "TargetShard*", // Applies to all shards starting with "TargetShard"
        ReplicatePermission.Action.CREATE, // Allow replica movement operations
        ReplicatePermission.Action.READ, // Allow retrieving replication status
        ReplicatePermission.Action.UPDATE // Allow cancelling replication operations
    // Note: DELETE is not included, similar to Python example
    )
};

Result<Boolean> createResult = client.roles().creator()
    .withName("testRole")
    .withPermissions(permissions)
    .run();

Create a role with Groups permissions

This example creates a role called testRole with permissions to:

• Read information about and assign/revoke group membership for OIDC groups starting with TargetGroup.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.Groups.oidc(
        group="TargetGroup*",  # Applies to all groups starting with "TargetGroup"
        read=True,  # Allow reading group information
        assign_and_revoke=True,  # Allow assigning and revoking group memberships
    ),
]

client.roles.create(role_name="testRole", permissions=permissions)

// TS/JS support coming soon

//  Coming soon
//   permissions := []rbac.Permission{
//   	rbac.GroupsPermission{
//   		Group: "TargetGroup*", // Applies to all groups starting with "TargetGroup"
//   		Actions: []string{
//   			models.PermissionActionReadGroups,            // Allow reading group information
//   			models.PermissionActionAssignAndRevokeGroups, // Allow assigning and revoking group memberships
//   		},
//   	},
//   }

//   err = client.Roles().Creator().WithRole(rbac.NewRole("testRole", permissions...)).Do(ctx)

  // Permission<?>[] permissions = new Permission<?>[] {
  // Permission.groups(
  // "TargetGroup*", // Applies to all groups starting with "TargetGroup"
  // "oidc", // Group type (OIDC)
  // GroupsPermission.Action.READ, // Allow reading group information
  // GroupsPermission.Action.ASSIGN_AND_REVOKE // Allow assigning and revoking
  // group memberships
  // )
  // };

  // Result<Boolean> createResult = client.roles().creator()
  // .withName("testRole")
  // .withPermissions(permissions)
  // .run();

Grant additional permissions

Additional permissions can be granted to a role at any time. The role must already exist.

This example grants additional permissions to the role testRole to:

• Create new data in collections that start with TargetCollection

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.data(collection="TargetCollection*", create=True),
]

client.roles.add_permissions(permissions=permissions, role_name="testRole")

const { permissions } = weaviate

const additionalDataPermissions = [
    permissions.data({
        collection: "TargetCollection*",
        read: true,
        create: true
    }),
    permissions.data({
        collection: "TargetCollection*",
        read: true,
        create: false
    }),
]

client.roles.addPermissions("testRole", additionalDataPermissions)

permissions := []rbac.Permission{
  rbac.DataPermission{
  	Collection: "TargetCollection*",
  	Actions: []string{
  		models.PermissionActionCreateData,
  	},
  },
}

err = client.Roles().PermissionAdder().
  WithRole("testRole").
  WithPermissions(permissions...).
  Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.data("TargetCollection*", DataPermission.Action.CREATE)
};

Result<?> addResult = client.roles().permissionAdder()
    .withRole("testRole")
    .withPermissions(permissions)
    .run();

Remove permissions from a role

Permissions can be revoked from a role at any time. Removing all permissions from a role will delete the role itself.

This example removes the following permissions from the role testRole:

• Read the data from collections that start with TargetCollection
• Create and delete collections that start with TargetCollection

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.collections(
        collection="TargetCollection*",
        read_config=True,
        create_collection=True,
        delete_collection=True,
    ),
    Permissions.data(collection="TargetCollection*", read=True, create=False),
]

client.roles.remove_permissions(role_name="testRole", permissions=permissions)

const { permissions } = weaviate

const permissionsToRemove = [
    permissions.collections({
        collection: "TargetCollection*",
        read_config: true,
        create_collection: true,
        delete_collection: true,
    }),
    permissions.data({
        collection: "TargetCollection*",
        read: true,
        create: false
    }),
]

await client.roles.removePermissions("testRole", permissionsToRemove)

permissions = []rbac.Permission{
  rbac.CollectionsPermission{
  	Collection: "TargetCollection*",
  	Actions: []string{
  		models.PermissionActionReadCollections,
  		models.PermissionActionCreateCollections,
  		models.PermissionActionDeleteCollections,
  	},
  },
  rbac.DataPermission{
  	Collection: "TargetCollection*",
  	Actions: []string{
  		models.PermissionActionReadData,
  		// models.PermissionActionCreateData, // create=False
  	},
  },
}

err = client.Roles().PermissionRemover().
  WithRole("testRole").
  WithPermissions(permissions...).
  Do(ctx)

Permission<?>[] permissions = new Permission<?>[] {
    Permission.collections("TargetCollection*",
        CollectionsPermission.Action.READ,
        CollectionsPermission.Action.CREATE,
        CollectionsPermission.Action.DELETE),
    Permission.data("TargetCollection*",
        DataPermission.Action.READ)
    // Note: CREATE is not removed, similar to Python example
};

Result<?> removeResult = client.roles().permissionRemover()
    .withRole("testRole")
    .withPermissions(permissions)
    .run();

Check if a role exists

Check if the role testRole exists:

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

print(client.roles.exists(role_name="testRole"))  # Returns True or False

console.log(await client.roles.exists("testRole"))  // Returns true or false

exists, err := client.Roles().Exists().WithName("testRole").Do(ctx)
fmt.Println(exists) // Returns true or false

Result<Boolean> exists = client.roles().exists()
    .withName("testRole")
    .run();
System.out.println(exists.getResult()); // Returns true or false

Inspect a role

View the permissions assigned to a role.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

test_role = client.roles.get(role_name="testRole")

print(test_role)
print(test_role.collections_permissions)
print(test_role.data_permissions)

const testRole = await client.roles.byName("testRole")

console.log(testRole)
console.log(testRole?.collectionsPermissions)
console.log(testRole?.dataPermissions)

testRole, err := client.Roles().Getter().WithName("testRole").Do(ctx)

fmt.Println(testRole)
fmt.Println(testRole.Collections)
fmt.Println(testRole.Data)

Result<Role> roleResult = client.roles().getter()
    .withName("testRole")
    .run();
Role testRole = roleResult.getResult();

System.out.println(testRole);
System.out.println(testRole.getName());
System.out.println(testRole.getPermissions());

List all roles

View all roles in the system and their permissions.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

all_roles = client.roles.list_all()

for role_name, role in all_roles.items():
    print(role_name, role)

const allRoles = await client.roles.listAll()

for (const [key, value] of Object.entries(allRoles)) {
    console.log(key)
}

allRoles, err := client.Roles().AllGetter().Do(ctx)

for _, role := range allRoles {
  fmt.Println(role.Name, role)
}

Result<List<Role>> rolesResult = client.roles().allGetter().run();
List<Role> allRoles = rolesResult.getResult();

for (Role role : allRoles) {
  System.out.println(role.getName() + ": " + role.getPermissions());
}

List users with a role

List all users who have the role testRole.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

assigned_users = client.roles.get_user_assignments(role_name="testRole")

for user in assigned_users:
    print(user)

const assignedUsers = await client.roles.userAssignments("testRole")

for (const users of assignedUsers) {
    console.log(users)
}

assignedUsers, err := client.Roles().UserAssignmentGetter().
  WithRole("testRole").
  Do(ctx)

for _, user := range assignedUsers {
  fmt.Println(user)
}

Result<List<UserAssignment>> assignmentsResult = client.roles()
    .userAssignmentsGetter()
    .withRole("testRole")
    .run();
List<UserAssignment> assignedUsers = assignmentsResult.getResult();

for (UserAssignment user : assignedUsers) {
  System.out.println(user.getUserId() + " - " + user.getUserType());
}

Delete a role

Deleting a role will remove it from the system, and revoke the associated permissions from all users who had this role.

PythonJavaScript/TypeScriptGoJava

  API docs

More infoCode snippets in the documentation reflect the latest client library and Weaviate Database version. Check the Release notes for specific versions.

If a snippet doesn't work or you have feedback, please open a GitHub issue.

client.roles.delete(role_name="testRole")

await client.roles.delete("testRole")

err = client.Roles().Deleter().WithName("testRole").Do(ctx)

client.roles().deleter()
    .withName("testRole")
    .run();

User management

Visit the Manage users page to learn more about assigning roles to users as well as creating, updating and deleting users.

Further resources

• RBAC: Overview
• RBAC: Configuration
• RBAC: Manage users

Questions and feedback

If you have any questions or feedback, let us know in the user forum.

Technical questions

If you have questions feel free to post on our Community forum.

Documentation feedback

Leave feedback by opening a GitHub issue.