Who this is for: n8n administrators and DevOps engineers responsible for securing production‑grade n8n deployments. We cover this in detail in the n8n Security & Hardening Guide.
Quick Diagnosis
Problem: Users or services can perform actions they shouldn’t (read, edit, execute workflows) because the RBAC matrix contains overly‑broad roles or missing credential scoping.
Featured‑snippet solution: If a user can edit any workflow after you’ve assigned them only “Viewer” rights, the RBAC definition is wrong. Re‑evaluate the rolePermissions object in ~/.n8n/config and ensure workflow:write is not granted to the “Viewer” role.
1. n8n RBAC: Core Elements
If you encounter any docker container misconfigurations resolve them before continuing with the setup.
| Element | Where it lives | Typical values |
|---|---|---|
role |
~/.n8n/config → rolePermissions |
owner, admin, editor, viewer |
| resource | workflow, credential, execution, settings |
– |
| operation | read, write, execute, delete |
– |
EEFA note: In production never rely on the default owner role for regular staff. It grants full access to every resource, expanding the attack surface if credentials are compromised.
2. Pitfall #1 – Treating the “owner” Role as a Catch‑All
Symptoms & fixes
| Symptom | Why it happens | Fix |
|---|---|---|
| New user can delete any workflow | User was added to the owner role (default for the first user) and the role was never split |
Create a dedicated admin role with limited permissions; keep owner for the original account |
| Auditing shows “owner” activity from dozens of accounts | Role inheritance was not adjusted after onboarding | Re‑assign each account to a least‑privilege role |
Step‑by‑step remediation
Export the current role configuration
# Backup existing roles n8n role export > roles-backup.json
Create a new admin role without owner privileges
n8n role create admin \ --permissions "workflow:read,workflow:write,workflow:execute,credential:read"
Reassign users to appropriate roles
n8n user update alice --role admin n8n user update bob --role viewer
EEFA warning: After modifying roles, restart the n8n service to flush the in‑memory cache: systemctl restart n8n. If you encounter any missing api rate limiting dos resolve them before continuing with the setup.
3. Pitfall #2 – Granting “write” When Only “execute” Is Needed
Common mistake – Assigning workflow:write to a role that only needs to trigger workflows.
Impact matrix
| Resource | Mistaken permission | Real‑world impact |
|---|---|---|
| Workflow | workflow:write (allows edit) |
Malicious actor could inject harmful nodes |
| Execution | execution:write |
Tampering with run logs, obscuring forensic evidence |
Least‑privilege role matrix
| Role | workflow:read | workflow:execute | workflow:write |
|---|---|---|---|
| Viewer | ✅ | ❌ | ❌ |
| Operator | ✅ | ✅ | ❌ |
| Editor | ✅ | ✅ | ✅ |
JSON snippet for the matrix (split for readability)
{
"rolePermissions": {
"viewer": {
"workflow": ["read"]
},
"operator": {
"workflow": ["read", "execute"]
},
"editor": {
"workflow": ["read", "execute", "write"]
}
}
}
EEFA tip: Use n8n role test (v0.230+) to simulate a user’s effective permissions before rolling out changes.
4. Pitfall #3 – Ignoring Credential Scope in RBAC
Credentials can be global or workflow‑specific. A “viewer” with no credential:read restriction can still expose secrets if the credential is global. If you encounter any missing audit logging breach detection resolve them before continuing with the setup.
Correct scoping example (JSON fragment)
{
"rolePermissions": {
"operator": {
"workflow": ["read", "execute"],
"credential": ["read"] // limited to workflow‑scoped credentials only
}
}
}
EEFA note: When using environment variables for secrets, never rely on RBAC to hide them. They are read at process start and bypass n8n’s permission engine.
5. Pitfall #4 – Using Environment Variables as a Role Toggle
Setting RBAC_ROLE=admin in the container grants admin rights to **every** request, defeating RBAC.
Secure pattern for custom nodes
if (this.getWorkflow().ownerId !== this.getUserId()) {
throw new Error('Insufficient permissions');
}
EEFA reminder: Inject secrets via mounted secrets (K8s, Docker Swarm) instead of globally visible environment variables.
6. Pitfall #5 – Not Testing the Permission Matrix After Every Change
A typo in the JSON can open a backdoor.
Testing toolbox
| Test type | Tool | Example command |
|---|---|---|
| Unit test of RBAC logic | n8n role test |
n8n role test --role viewer --resource workflow --operation write |
| API‑level verification | curl |
curl -H "Authorization: Bearer $TOKEN" https://n8n.example.com/rest/workflows (should return 403 for write) |
| UI sanity check | Browser | Log in as a test user and verify the “Edit” button is hidden |
Pre‑deployment checklist
- Export current role config (
n8n role export). - Run
n8n role testfor each role‑resource‑operation combination. - Verify no
owner‑level permissions on non‑admin accounts. - Restart n8n and clear browser cache.
- Log audit events (
n8n audit) to confirm no unexpected accesses.
7. Sample “Least‑Privilege” Role Set for a Medium‑Scale Team
Owner and admin definitions
{
"owner": {
"workflow": ["read", "write", "execute", "delete"],
"credential": ["read", "write", "delete"],
"settings": ["read", "write"]
},
"admin": {
"workflow": ["read", "write", "execute"],
"credential": ["read", "write"],
"settings": ["read"]
},
Operator and viewer definitions
"operator": {
"workflow": ["read", "execute"],
"credential": ["read"]
},
"viewer": {
"workflow": ["read"]
}
}
EEFA best practice: Store this JSON in a version‑controlled repository and apply it via CI/CD pipelines. Detect drift with git diff before the container restarts.
8. Ongoing Monitoring & Auditing
| Tool | What to watch | Alert threshold |
|---|---|---|
n8n built‑in audit log (/audit) |
role:change, credential:read from non‑admin users |
> 5 events per hour |
| External SIEM (Elastic, Splunk) | API calls to /rest/workflows/*/execute by viewer role |
Immediate |
| Prometheus exporter | n8n_rbac_denied_total metric |
Spike > 200 % baseline |
Prometheus scrape configuration (split for clarity)
scrape_configs:
- job_name: 'n8n'
static_configs:
- targets: ['n8n:5678']
metrics_path: '/metrics'
EEFA alert: If a viewer role suddenly generates workflow:execute logs, investigate a potential token leak or compromised session.
Conclusion
RBAC in n8n is only as strong as the precision of its role matrix. By eliminating the “owner‑for‑all” shortcut, scoping credentials, avoiding environment‑variable role toggles, and rigorously testing each permission change, you transform a potential security hole into a production‑grade safeguard. Implement the least‑privilege configurations, automate testing, and monitor audit logs to keep your n8n instance secure at scale.
