-
Notifications
You must be signed in to change notification settings - Fork 0
RBAC
The plugin supports granular role-based access control using claims from your identity provider. Roles can gate login, admin access, library access, and Live TV access.
When a user logs in, the plugin reads a configurable claim from the OIDC token or SAML assertion and extracts a list of roles. These roles are then compared against the configured rules.
Set the Role Claim field to the dot-separated path of the roles array in the token. Examples:
| Provider | Claim path |
|---|---|
| Keycloak (realm roles) | realm_access.roles |
| Keycloak (client roles) | resource_access.<clientId>.roles |
| Authelia | groups |
| authentik | groups |
| Pocket ID | groups |
If the claim path contains a literal dot (e.g., a key named my.claim), escape it with a backslash: my\.claim.
For SAML, the plugin reads Role attributes from the SAML assertion. Ensure your identity provider is configured to include role attributes.
Set Roles (one per line) to restrict which users can log in through this provider. A user must have at least one of the listed roles.
Leave the field empty to allow all authenticated users to log in regardless of roles.
Set Admin Roles to a list of roles that grant Jellyfin administrator privileges. Users with any of these roles will have IsAdministrator = true set on login.
Be careful when assigning admin roles via SSO. If the only admin account is SSO-linked, a misconfiguration can lock you out. Always maintain a separate local admin account.
Check Enable All Folders to give users access to every Jellyfin library. This is the simplest option when you do not need per-library restrictions.
Uncheck Enable All Folders and select specific libraries in Enabled Folders. All users of this provider will have access to those libraries regardless of roles.
For per-role library access, check Enable Role-Based Folder Access and configure Folder Role Mapping.
Each mapping entry specifies:
- Role: the IdP role name
- Folders: one or more Jellyfin library IDs
Users receive access to all libraries mapped to any role they hold. Roles not listed in the mapping grant no additional library access.
Example mapping:
| Role | Libraries |
|---|---|
movies-access |
Movies library |
kids-access |
Kids Movies, Kids Shows |
premium |
Movies, Shows, 4K Movies |
Check Enable Live TV Access by Default to grant Live TV viewing to all users of this provider.
Check Enable Live TV Management by Default to grant Live TV management (schedule recordings, etc.) to all users.
Check Enable Live TV RBAC to control Live TV access by role:
- Live TV Roles: roles that grant viewing access
- Live TV Management Roles: roles that grant management access
The plugin reapplies permissions on every login when Enable Authorization by Plugin is checked. This means:
- Role changes in the IdP take effect on the user's next login
- Manual permission changes in Jellyfin will be overwritten on the next SSO login
- Managed permissions are persisted through Jellyfin's user policy path, the same mechanism used by the Jellyfin dashboard
If you want to manage permissions manually in Jellyfin, uncheck Enable Authorization by Plugin and set permissions through the Jellyfin admin UI instead.
Getting Started
Configuration
Providers
Reference
Development