OpenWebUI for Administrators: Multi-User Access, Permissions, and Conversation Controls
If you've deployed Island Mountain hardware, you need a clean way to manage who accesses the AI models, what they can do with them, and how to maintain records for compliance. OpenWebUI is the standard open-source interface for running multiple language models locally. It handles user permissions, conversation history, and usage logging without sending anything to a cloud platform.
This guide covers the essential admin tasks: initial setup, user account management, role-based access to models, conversation history and retention, and network configuration for teams. We're assuming you've already deployed the hardware and have Ubuntu Server LTS running.
Initial Setup and Admin Login
OpenWebUI runs in Docker on your local network. After deploying the container through our deployment automation, the first user created becomes the admin. You'll access it at http://ai.yourfirm.local:8080 or http://192.168.x.x:8080 depending on your network configuration.
On first login you set an admin password. This is a critical security boundary. Use a strong password, 20-plus characters, mixed case, numbers, symbols, and store it in your password manager. Bitwarden, 1Password, or your firm's existing vault all work. This password controls access to user management, model configuration, and conversation history exports.
From the admin panel in the top-right menu, navigate to Settings and configure three things immediately. Disable public registration so you control who gets accounts. Confirm authentication is required for all access. Set your conversation retention window, which we'll cover in detail below.
Creating User Accounts and Role Assignment
OpenWebUI separates users into three roles: Admin, User, and Moderator. For most organizations you'll only use Admin and User. Admins see the admin panel and can modify settings. Users access models and create conversations but can't touch global configuration.
To create a user account, go to Admin Settings, then User Management, then Add User. Set the username, typically firstname.lastname or email, then set a password and role. You can make the password temporary and let users reset it on first login if you enable that option.
A law firm might think in terms of Attorney, Paralegal, and Staff roles. OpenWebUI doesn't enforce role-based permissions at the model level natively, but we'll address that below. Start by creating accounts for your team, then work on restricting model access.
Model Access Control by Role
Here's where it gets specific to your workflow. Say you've deployed DeepSeek V4-Flash quantized, Llama 3.1 70B, and Mixtral 8x22B. In a law firm you might structure access like this: attorneys and senior paralegals get all models including V4-Flash for fast draft analysis; junior paralegals get Llama 70B and Mixtral but not V4-Flash; administrative staff get Llama 70B for document summarization only.
OpenWebUI handles this through the Models section in Admin Settings. Each model carries an Allow list where you restrict which users can access it. Currently OpenWebUI doesn't have built-in group management, so you're managing access per user. For a 50-person organization that means individual management.
A practical workaround: maintain a simple spreadsheet tracking which users should access which models, then batch-update OpenWebUI settings monthly. It's more manual than enterprise IAM, but it works reliably for organizations under 200 users and requires no additional software.
Conversation History, Retention, and Compliance
OpenWebUI stores all conversations locally on your server. That's the major compliance advantage: your conversation data never leaves your network. It's also a responsibility. You need to manage retention, backup, and access deliberately.
All conversation data lives in a SQLite database on your server, typically at /root/ollama/web/conversations.db depending on your deployment. It's local to your server, not cloud storage.
As admin you have full visibility. The Conversations tab in Admin Settings lets you see all conversations across all users, search by date or content, and export them. If you're subject to discovery requests in litigation or a regulatory audit, you have complete access to all model interactions.
Set a retention window. Most organizations delete conversations older than 12 months automatically. Go to Admin Settings, then System, then Conversation Retention, and set the number of days. Common settings: 365 days for law firms to maintain litigation hold capability, 90 days for IT support teams, 180 days for medical practices.
You can also export conversations as JSON for archival. The export includes timestamps, model used, user, and full conversation text. Useful for migrations, full backups, or moving to a different system.
For HIPAA-regulated organizations, remember that conversations may contain protected health information. Your retention policy, backup procedure, and access controls all need to satisfy HIPAA requirements. Encrypt the database file at rest and ensure only authorized personnel can reach the admin panel.
Usage Monitoring and Analytics
OpenWebUI logs basic usage: which user ran which model and when. That data is stored locally and accessible from the admin panel under Analytics if enabled. You can see per-user token counts, model usage over time, and flag unusual activity, like a user suddenly running hundreds of queries per day, which might indicate programmatic API use.
It's not enterprise-grade AI audit logging, but it's sufficient to track adoption, identify training needs, and monitor for anomalies. Some firms use this data to bill AI usage back to practice areas based on which teams are driving the most volume.
Network Configuration: Static IP and Hostname
Your Island Mountain server needs a stable network location. Users shouldn't have to remember an IP address.
Assign a static IP on your network router or DHCP server. Something like 192.168.1.50 prevents the server from pulling a new IP on reboot. Then give the server a meaningful hostname like ai.yourfirm.local or gpt-local.yourfirm.local and point it to that static IP in your internal DNS or hosts file. Now users reach OpenWebUI at http://ai.yourfirm.local:8080 instead of memorizing an address.
Windows domain with Active Directory lets you register the hostname automatically. Without a domain, add it to the hosts file on each user machine or configure it in your router's DNS settings.
Security: VPN and Network Isolation
Your Island Mountain server should not be directly exposed to the internet. Keep it accessible only from your internal network. For remote staff, use a VPN.
Tailscale is the easiest path. Install it on your server and all user machines and it creates an encrypted mesh network where only devices in your Tailscale account can reach each other. Remote staff access OpenWebUI exactly like on-site staff. Tailscale is free for personal use and runs about $10 per user per month for business accounts.
If you prefer open-source and self-hosted, deploy WireGuard. It's lighter than traditional VPN protocols, handles remote access without cloud intermediaries, and gives you complete control. It requires more configuration than Tailscale but nothing unreasonable.
Either way, no direct internet exposure. All remote access goes through the VPN tunnel.
Backup Strategy
Run a daily backup of the OpenWebUI database to a local NAS or external drive. A simple cron job handles it:
sqlite3 /root/ollama/web/conversations.db ".backup /mnt/nas/backup/conversations-$(date +\%Y\%m\%d).db"
Schedule that at 3 AM and you're covered.
Store backups on local network-attached storage, a Synology or Buffalo box works well, and do not sync these backups to AWS S3, Google Drive, or Dropbox. You deployed on-premises hardware specifically to keep data off cloud platforms. Syncing backups defeats the entire point.
Keep 30 days of daily backups then delete older files. That balances recovery capability against storage cost. If your NAS supports encrypted shares, enable it. OpenWebUI database files may contain sensitive information and should be encrypted at rest.
Common Admin Tasks
Adding a new model: After adding it to your Ollama installation, go to Admin Settings, then Models, and refresh the model list. The new model appears. Set permissions as needed.
Resetting a user password: Hit User Management in the admin panel, find the user, and reset. They'll be logged out and prompted to set a new password on next login.
Viewing a specific conversation: Go to Admin Settings, then Conversations, search by user or date, and click through. Full audit access, exactly what compliance requires.
Exporting all conversations: Some organizations do quarterly exports to a long-term archive. The export option in Admin Settings generates a JSON file with all conversations and metadata.
Getting Started
If you've deployed Island Mountain hardware and need to configure OpenWebUI for your team, here's your checklist: create the admin password, disable registration, add users with appropriate roles, restrict models by user, set conversation retention, configure static IP and hostname, deploy VPN access, and set up database backups.
For specific compliance requirements including HIPAA, FERPA, or SOC 2, reach out for a consultation on configuring OpenWebUI to meet your audit and retention obligations. OpenWebUI is built for exactly this: local, controlled, auditable AI without cloud overhead. With proper admin setup it scales cleanly to organizations with dozens of users and the compliance posture to match.