Skip to content

User Management

Sairo has a built-in user system with two roles and granular per-bucket permissions for viewers.

When AUTH_MODE=s3, users log in with their own S3 access key and secret, and Sairo performs every storage operation using those credentials — not a shared server key. As a result, bucket visibility and permissions are governed entirely by your S3 provider’s IAM, not by Sairo’s role system:

  • Each user sees and can act on only the buckets their own keys are allowed to access. A user whose keys are scoped to two buckets sees exactly those two — the rest of the account is invisible to them, even via direct URL.
  • The admin/viewer roles and the per-bucket permission grants described below do not apply in this mode. Authorization is delegated to the provider (AWS IAM, MinIO policies, Ceph caps, etc.).
  • This makes Sairo safe to expose to a team whose access is already managed by IAM: you grant and revoke access at the provider, and Sairo reflects it automatically.

Use local auth mode (below) when you want Sairo itself to manage users and per-bucket access against a single set of storage credentials.

RoleCapabilities
AdminFull access to all buckets, user management, audit log, settings, endpoints
ViewerAccess controlled per-bucket by admin-assigned permissions

There is no concept of custom roles. All users are either admin or viewer.

On first startup, Sairo creates an admin account using the ADMIN_USER and ADMIN_PASS environment variables:

environment:
ADMIN_USER: "admin"
ADMIN_PASS: "change-me-immediately"

Change the default password after first login.

Admins create and delete users from the Admin Panel, accessible via the sidebar.

To create a user:

  1. Open the Admin Panel
  2. Click Add User
  3. Set a username, password (minimum 8 characters), and role (admin or viewer)
  4. Click Create

Viewers have no access to any bucket by default. An admin must explicitly grant access per bucket. Each bucket can be assigned one of three permission levels for each viewer:

PermissionWhat the viewer can do
No AccessBucket is hidden from the viewer entirely
ReadBrowse, search, download, and view objects
WriteEverything in Read plus upload, delete, move, copy, and rename objects

In the Users panel, each viewer row shows how many buckets they can access and a Manage access button. Click it to open the per-bucket editor, where each bucket has a No Access / Read / Write control that saves instantly. Use the filter box to find a bucket quickly, or Grant read to all / Revoke all for bulk changes. Admins implicitly have access to every bucket, so they have no per-bucket editor.

Each user row also shows an auth-source badgeLocal, SSO (OIDC), OAuth, or LDAP — so you can tell at a glance who signs in through your identity provider.

Users who sign in via OIDC, OAuth, or LDAP appear here automatically on first login, created as viewers with no bucket access. You grant their access the same way as any local viewer — with Manage access. (When OIDC group→role mapping is enabled, admin-group members instead arrive as admins.)

A username is bound to the auth source that created it: an SSO/OAuth/LDAP login cannot sign in as a username that already exists from a different source (for example, the local admin account), so an identity provider can’t be used to take over a local account.

All users (admin and viewer) can change their own password from the user menu. The password change requires entering the current password for verification.

Admins can delete any user except themselves from the Admin Panel. Deleting a user:

  • Immediately invalidates their active sessions
  • Removes all their per-bucket permissions
  • Does not delete any objects they uploaded