Users & Access Control
O.D.I.N. uses role-based access control (RBAC) to manage who can see and do what. Every user is assigned a role, optionally scoped to an organization.
Roles
| Role | Permissions |
|---|---|
| Admin | Full access. Manage users, printers, settings, organizations, licenses. |
| Operator | Manage prints, printers, jobs, spools, and models. Cannot manage users or system settings. |
| Viewer | Read-only access to dashboards, printer status, and job history. Cannot start, stop, or modify anything. |
RBAC is enforced on every API endpoint. The frontend hides UI elements the user cannot access, but the backend independently rejects unauthorized requests regardless of what the client sends.
Creating Users
Navigate to Settings > Users > Add User.
| Field | Required | Notes |
|---|---|---|
| Username | Yes | Must be unique across the instance |
| Password | Yes | Minimum 8 characters |
| Role | Yes | Admin, Operator, or Viewer |
| Organization | No | Scopes the user to a specific group |
Admins can also reset passwords and change roles for existing users from the user management page.
Organizations & Groups
Organizations provide multi-tenant isolation. Each organization has its own:
- Printer assignments
- Default filament settings
- Quiet hours configuration
- Webhook endpoints
- Branding (app name, logo)
Users assigned to an organization only see printers and data belonging to that organization. Admins without an organization assignment have visibility across all organizations.
MFA (TOTP)
Users can enable time-based one-time passwords (TOTP) for two-factor authentication.
- Go to Profile > Security > Enable MFA
- Scan the QR code with an authenticator app (Google Authenticator, Authy, etc.)
- Enter the 6-digit code to confirm
Recovery codes are shown once during MFA setup. Store them securely. If a user loses their authenticator device and recovery codes, an admin must disable MFA on their account manually.
OIDC Single Sign-On
O.D.I.N. supports OpenID Connect for SSO with external identity providers.
Navigate to Settings > Authentication > OIDC and configure:
| Field | Description |
|---|---|
| Provider URL | The OIDC discovery endpoint (e.g., https://accounts.google.com) |
| Client ID | From your identity provider's app registration |
| Client Secret | From your identity provider's app registration |
| Redirect URI | Your O.D.I.N. instance URL + /api/v1/auth/oidc/callback |
Provider Examples
Google Workspace:
Provider URL: https://accounts.google.com
Azure AD / Entra ID:
Provider URL: https://login.microsoftonline.com/{tenant-id}/v2.0
Authentik / Keycloak:
Provider URL: https://your-idp.example.com/application/o/odin/
Set the OIDC_REDIRECT_URI environment variable to pin the callback URL. This prevents redirect URI mismatch errors when O.D.I.N. is behind a reverse proxy with a different external hostname.
After OIDC is configured, users see a Sign in with SSO button on the login page. New OIDC users are auto-provisioned with the Viewer role by default. Admins can promote them afterward.
IP Allowlisting
Restrict API and UI access to specific IP addresses or CIDR ranges. When enabled, requests from non-listed IPs are rejected at the network layer.
Configure under Settings > Security > IP Allowlist.
192.168.1.0/24
10.0.0.0/8
203.0.113.50
If you lock yourself out by misconfiguring the allowlist, access the container directly to reset it:
docker exec -it odin bash
# Then modify the database or environment to clear the allowlist
API Tokens
For automation and integrations, generate API tokens instead of using user credentials.
- Go to Settings > API Tokens > Generate Token
- Set a descriptive name and expiration
- Copy the token immediately — it is shown only once
Use the token in the Authorization header:
curl -H "Authorization: Bearer <token>" \
https://your-odin-instance:8000/api/v1/printers
API tokens inherit the permissions of the user who created them. A Viewer's token has read-only access; an Admin's token has full access.