Open WebUI user roles determine whether a local account can reach the chat workspace, admin panel, and shared resources. Moving an account back to Pending is the least destructive way to stop a standard user from using the instance while keeping the account row available for review or later reactivation.

The role selector under Admin PanelUsers changes the account's system role. User can use the workspace according to RBAC permissions, Admin controls the system, and Pending is restricted until an administrator promotes it again.

Use this method for locally managed accounts or manual cleanup on a self-hosted instance. For SSO or SCIM managed users, disable access in the identity provider as the source of truth, then confirm Open WebUI reflects the user lifecycle state. If old sessions must be cut off immediately, use Redis backed token revocation and a short session lifetime.

Steps to disable an Open WebUI user:

  1. Sign in to Open WebUI with an administrator account and open Admin PanelUsers.
  2. Confirm the target account is a standard USER account.

    Keep at least one known administrator account active. Do not demote the only administrator or the account currently needed for recovery.

  3. Click the user's role badge to open Edit User.
  4. Set Role to Pending and click Save.

    Use Delete User only when the account record should be removed. Pending disables workspace access without deleting the user row.

  5. Confirm the users table shows the account with the PENDING role.
  6. Sign in as the disabled user from a logged-out browser session and confirm the activation-pending screen appears instead of the workspace.
  7. Return to the administrator session and confirm Admin PanelUsers still opens.

    Existing sessions may remain usable until their token is revoked or expires on deployments without Redis token revocation. Keep JWT_EXPIRES_IN short when immediate offboarding matters.