YouTube Distilled
HomeVideos

Open WebUI: How to Configure RBAC Permissions for Models and MCP Servers

Watch on YouTube

Now Playing

Open WebUI: How to Configure RBAC Permissions for Models and MCP Servers

Transcript

70 segments

0:01

Hey guys, I haven't recorded in a little

0:03

bit, so I wanted to put out a quick

0:05

video this time on open web UI

0:07

permissions for both models and also MCP

0:10

servers. So if you are running this type

0:13

of platform in a semi-production

0:15

environment, you want to make sure that

0:17

you have proper arbback permissions and

0:20

restrictions and guardrail so on and so

0:21

forth set up so that you can block

0:24

unauthorized users to certain

0:26

capabilities. So, as you can see here, I

0:28

have test user one set up. Nothing

0:32

really configured yet. We're going to go

0:34

through that here. So, no model set up,

0:37

no MCP set up, and I'm going to show you

0:39

how to do that. So, if I jump back over

0:41

here, this is my admin login. I went to

0:45

admin settings and then models. You can

0:48

see here, this is just one example. If

0:50

you go over to access, you see it's set

0:52

up as private. You can also make it

0:54

public which makes it available to

0:56

everyone within the open web UI

0:58

deployment or you can also granularly

1:01

add permissions per user as I'm going to

1:04

do here. So I will add that one and then

1:06

I will also jump over to my external

1:09

tools a lot of which are MCP servers.

1:12

You can see I have quite a few here. I'm

1:14

going to go into this test group me one

1:16

just to demonstrate what this looks

1:18

like. This is a custom group me backend

1:21

that I have running in my Kubernetes

1:22

cluster. And you can see that the

1:24

authorization has to be passed per MCP

1:28

implementation. So once you import this

1:30

configuration, you do also have to pass

1:33

in the specific access token. So the way

1:35

this could work depending on how you

1:37

want to set it up, you run this backend

1:39

and it accepts any connection from

1:42

anyone using this tool, but the

1:44

authorization happens here. So you need

1:47

to actually provide this token per user.

1:49

So then the way this works is I come

1:52

here, I say add access, test user one. I

1:54

grant that, save it. I come back in

1:56

here, do a quick refresh, and then

1:59

you'll see in here that I should have

2:01

access to both this model that I

2:03

configured as well as the MCP tool. Of

2:07

course, it's not going to work because,

2:08

as you saw, it's just a blank tool at

2:10

this point. I didn't put any

2:12

configuration into it. But you could set

2:14

this up per user to have specific MCP

2:17

tools with that specific authentication

2:19

per user configured purely through open

2:22

web UI. So I hope this is helpful for

2:25

others that are building out MCP

2:27

implementations. Uh, of course, if you

2:29

write it yourself, you do have that

2:31

flexibility of passing the O in that

2:34

way. There are some other ways to do it

2:35

with MCP proxies. I'll probably make a

2:37

future video on that. But at least you

2:39

can see one way to secure and safeguard

2:42

your implementation of Open Web UI. Hope

2:45

it's helpful.

Interactive Summary

This video explains how to configure open web UI permissions for both models and MCP servers to enhance security in semi-production environments. It demonstrates how to set up role-based access control by adding specific users to models and external tools (MCP servers), ensuring that only authorized users can access certain capabilities. The tutorial covers setting models to private and granularly adding user permissions, as well as configuring authorization for MCP servers by passing specific access tokens per user. This method allows for secure and safeguarded implementations of open web UI.

Suggested questions

4 ready-made prompts