RBAC
Fine-grained access control
Roles, folder-based ACLs, and encrypted secrets with OAuth, SAML, and SCIM. Every action is recorded in the audit log.
Access control across your platform
Windmill combines role-based permissions, folder-level ACLs, and encrypted secrets to control who can see, edit, and run every resource in your workspace.
Five built-in roles
Windmill provides five built-in roles that cover the full spectrum from platform administration to run-only access. No custom role configuration needed.
| Role | Scope | Description |
|---|---|---|
| Superadmin | Instance | Full access across all workspaces. Manages instance settings and global configuration. |
| Devops | Instance | Read access to all workspaces. Manages workers and service logs. |
| Admin | Workspace | Full control over workspace content, members, and settings. |
| Developer | Workspace | Creates and edits scripts, flows, and apps. Access scoped by folder permissions. |
| Operator | Workspace | Run-only access. Executes scripts and apps without viewing source code. |
Groups and folders
Organize users into groups and assign folder-level permissions: viewer, writer, or admin. Subfolders inherit parent permissions. SCIM-synced instance groups (Enterprise) automatically map identity provider groups to Windmill groups.
Read the docsPath-based access control lists
Every script, flow, resource, variable, and schedule is identified by a unique path. Each path has an owner and explicit read/write permissions for users and groups. Items in user space (u/alice/my_script) are private by default. Items in folders (f/team/my_script) inherit the folder's group permissions.
Encrypted secrets
All secrets are encrypted at the workspace level. Values are injected at runtime only and never exposed in logs, UI, or API responses. Manual key rotation is available on Enterprise.
Read the docsSSO and OAuth
Authenticate with Google, GitHub, Azure AD, Okta, GitLab, and any OpenID Connect provider. Configure multiple providers simultaneously. Users are auto-provisioned on first login.
Read the docsSAML and SCIM (Enterprise)
SAML SSO for enterprise identity providers. SCIM provisioning automatically syncs users and groups from your identity provider to Windmill. No manual user management required.
Read the docsAudit logs
Every action is recorded in the audit log: deployments, permission changes, resource modifications, logins, and job executions. Filter by user, action type, or time range. Windmill is SOC 2 Type II certified.
Read the docsFrequently asked questions
Build your internal platform on Windmill
Scripts, flows, apps, and infrastructure in one place.