diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py
index b1955b056d2..2c355fc7292 100644
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -31,6 +31,7 @@
 )
 from open_webui.internal.db import Base, get_db
 from open_webui.utils.redis import get_redis_connection
+from open_webui.models.permissions import Permissions
 
 
 class EndpointFilter(logging.Filter):
@@ -1130,7 +1131,6 @@ def oidc_oauth_register(client):
     os.environ.get("USER_PERMISSIONS_FEATURES_NOTES", "True").lower() == "true"
 )
 
-
 DEFAULT_USER_PERMISSIONS = {
     "workspace": {
         "models": USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS,
@@ -1167,10 +1167,44 @@ def oidc_oauth_register(client):
     },
 }
 
-USER_PERMISSIONS = PersistentConfig(
-    "USER_PERMISSIONS",
-    "user.permissions",
-    DEFAULT_USER_PERMISSIONS,
+DEFAULT_USER_PERMISSIONS_LABELS = {
+    "workspace": {
+        "models": "Models Access",
+        "knowledge": "Knowledge Access",
+        "prompts": "Prompts Access",
+        "tools": "Tools Access",
+    },
+    "sharing": {
+        "public_models": "Models Public Sharing",
+        "public_knowledge": "Knowledge Public Sharing",
+        "public_prompts": "Prompts Public Sharing",
+        "public_tools": "Tools Public Sharing",
+    },
+    "chat": {
+        "controls": "Allow Chat Controls",
+        "file_upload": "Allow File Upload",
+        "delete": "Allow Chat Delete",
+        "edit": "Allow Chat Edit",
+        "share": "Allow Chat Share",
+        "export": "Allow Chat Export",
+        "stt": "Allow Speech to Text",
+        "tts": "Allow Text to Speech",
+        "call": "Allow Call",
+        "multiple_models": "Allow Multiple Models in Chat",
+        "temporary": "Allow Temporary Chat",
+        "temporary_enforced": "Enforce Temporary Chat",
+    },
+    "features": {
+        "direct_tool_servers": "Direct Tool Servers",
+        "web_search": "Web Search",
+        "image_generation": "Image Generation",
+        "code_interpreter": "Code Interpreter",
+        "notes": "Notes",
+    },
+}
+
+USER_PERMISSIONS = Permissions.set_initial_permissions(
+    DEFAULT_USER_PERMISSIONS, DEFAULT_USER_PERMISSIONS_LABELS
 )
 
 ENABLE_CHANNELS = PersistentConfig(
diff --git a/backend/open_webui/constants.py b/backend/open_webui/constants.py
index 95c54a0d270..5b4f6362de5 100644
--- a/backend/open_webui/constants.py
+++ b/backend/open_webui/constants.py
@@ -104,6 +104,22 @@ def __str__(self) -> str:
     )
     FILE_NOT_PROCESSED = "Extracted content is not available for this file. Please ensure that the file is processed before proceeding."
 
+    PERMISSION_FETCH_FAILED = "Permissions fetch failed. Please try again later."
+    PERMISSION_NOT_FOUND = (
+        lambda name="", category="": f"Permission '{name}' with category '{category}' was not found"
+    )
+
+    ROLE_ALREADY_EXISTS = (
+        lambda role="": f"A role with the name '{role}' already exists"
+    )
+    ROLE_DO_NOT_EXISTS = "A role does not exist."
+    ROLE_ALREADY_ASSIGNED_TO_GROUP = ()
+    ROLE_DELETE_ERROR = "Oops! Something went wrong. We encountered an issue while trying to delete the role. Please give it another shot."
+    ROLE_NOT_FOUND = (
+        "This role does not exist.  Please check the role name and try again."
+    )
+    ROLE_ERROR = "Oops! Something went wrong. Please try again later."
+
 
 class TASKS(str, Enum):
     def __str__(self) -> str:
diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
index a5aee4bb829..1f33b5b33f8 100644
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -78,6 +78,8 @@
     tools,
     users,
     utils,
+    roles,
+    permissions,
 )
 
 from open_webui.routers.retrieval import (
@@ -588,6 +590,7 @@ async def lifespan(app: FastAPI):
 app.state.config.RESPONSE_WATERMARK = RESPONSE_WATERMARK
 
 app.state.config.USER_PERMISSIONS = USER_PERMISSIONS
+
 app.state.config.WEBHOOK_URL = WEBHOOK_URL
 app.state.config.BANNERS = WEBUI_BANNERS
 app.state.config.MODEL_ORDER_LIST = MODEL_ORDER_LIST
@@ -1052,6 +1055,11 @@ async def inspect_websocket(request: Request, call_next):
 )
 app.include_router(utils.router, prefix="/api/v1/utils", tags=["utils"])
 
+app.include_router(roles.router, prefix="/api/v1/roles", tags=["roles"])
+app.include_router(
+    permissions.router, prefix="/api/v1/permissions", tags=["permissions"]
+)
+
 
 try:
     audit_level = AuditLevel(AUDIT_LOG_LEVEL)
@@ -1405,7 +1413,7 @@ async def get_app_config(request: Request):
                     "max_size": app.state.config.FILE_MAX_SIZE,
                     "max_count": app.state.config.FILE_MAX_COUNT,
                 },
-                "permissions": {**app.state.config.USER_PERMISSIONS},
+                "permissions": USER_PERMISSIONS,
                 "google_drive": {
                     "client_id": GOOGLE_DRIVE_CLIENT_ID.value,
                     "api_key": GOOGLE_DRIVE_API_KEY.value,
diff --git a/backend/open_webui/migrations/versions/04c6df61a317_added_permissions_to_database.py b/backend/open_webui/migrations/versions/04c6df61a317_added_permissions_to_database.py
new file mode 100644
index 00000000000..c13f9cd2649
--- /dev/null
+++ b/backend/open_webui/migrations/versions/04c6df61a317_added_permissions_to_database.py
@@ -0,0 +1,55 @@
+"""Added permissions to the database
+
+Revision ID: 04c6df61a317
+Revises: 262aff902ca3
+Create Date: 2025-04-22 14:55:58.948054
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy import Enum
+
+
+# revision identifiers, used by Alembic.
+revision: str = "04c6df61a317"
+down_revision: Union[str, None] = "262aff902ca3"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade():
+    # Create a permissions table.
+    op.create_table(
+        "permissions",
+        sa.Column("id", sa.Integer(), primary_key=True, autoincrement=True),
+        sa.Column("name", sa.String(), nullable=False),
+        sa.Column("label", sa.String(), nullable=False),
+        sa.Column(
+            "category",
+            Enum("workspace", "sharing", "chat", "features", name="permissioncategory"),
+            nullable=False,
+        ),
+        sa.Column("description", sa.String()),
+    )
+
+    # Create a role_permissions join table to allow many-to-many relationships between roles and permissions.
+    op.create_table(
+        "role_permissions",
+        sa.Column("role_id", sa.Integer(), nullable=False),
+        sa.Column("permission_id", sa.Integer(), nullable=False),
+        sa.Column("value", sa.Boolean(), default=False),  # Added value column here
+        sa.ForeignKeyConstraint(["role_id"], ["roles.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(
+            ["permission_id"], ["permissions.id"], ondelete="CASCADE"
+        ),
+        sa.PrimaryKeyConstraint("role_id", "permission_id"),
+    )
+
+
+def downgrade():
+    op.drop_table("role_permissions")
+    op.drop_table("permissions")
+    op.execute("DROP TYPE permissioncategory")
diff --git a/backend/open_webui/migrations/versions/262aff902ca3_added_roles_tabel.py b/backend/open_webui/migrations/versions/262aff902ca3_added_roles_tabel.py
new file mode 100644
index 00000000000..41357a582d6
--- /dev/null
+++ b/backend/open_webui/migrations/versions/262aff902ca3_added_roles_tabel.py
@@ -0,0 +1,49 @@
+"""Added roles tabel
+
+Revision ID: 262aff902ca3
+Revises: 9f0c9cd09105
+Create Date: 2025-04-14 14:25:33.528446
+
+"""
+
+import time
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision: str = "262aff902ca3"
+down_revision: Union[str, None] = "9f0c9cd09105"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade():
+    op.create_table(
+        "roles",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column("name", sa.String()),
+        sa.Column("created_at", sa.BigInteger(), nullable=True),
+        sa.Column("updated_at", sa.BigInteger(), nullable=True),
+    )
+
+    # Insert default roles into the database.
+    current_time = int(time.time())
+
+    connection = op.get_bind()
+    connection.execute(
+        sa.text(
+            f"""
+            INSERT INTO roles (name, created_at, updated_at) VALUES
+            ('pending', {current_time}, {current_time}),
+            ('admin', {current_time}, {current_time}),
+            ('user', {current_time}, {current_time})
+            """
+        )
+    )
+
+
+def downgrade():
+    op.drop_table("roles")
diff --git a/backend/open_webui/models/permissions.py b/backend/open_webui/models/permissions.py
new file mode 100644
index 00000000000..1a915bdf1c4
--- /dev/null
+++ b/backend/open_webui/models/permissions.py
@@ -0,0 +1,481 @@
+import os
+from enum import Enum
+
+from pydantic import BaseModel, ConfigDict, Field
+from sqlalchemy.orm import relationship
+from sqlalchemy import Column, String, Integer, Enum as SQLAlchemyEnum
+
+from open_webui.internal.db import Base, get_db
+from open_webui.models.roles import RolePermission, Role
+
+persistent_config = os.environ.get("ENABLE_PERSISTENT_CONFIG", "True").lower() == "true"
+
+####################
+# Role DB Schema
+####################
+
+
+class PermissionCategory(str, Enum):
+    workspace = "workspace"
+    sharing = "sharing"
+    chat = "chat"
+    features = "features"
+
+
+class RolePermissionModel(BaseModel):
+    role_id: int
+    permission_id: int
+    value: bool = False
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+class Permission(Base):
+    __tablename__ = "permissions"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String, nullable=False)
+    label = Column(String, nullable=False)
+    category = Column(SQLAlchemyEnum(PermissionCategory), nullable=False)
+    description = Column(String)
+
+    role_associations = relationship("RolePermission", back_populates="permission")
+
+    # Convenience property to access roles directly if needed
+    @property
+    def roles(self):
+        return [assoc.role for assoc in self.role_associations]
+
+
+class PermissionModel(BaseModel):
+    id: int = Field(default=None)
+    name: str
+    label: str
+    category: PermissionCategory
+    description: str | None
+    value: bool = False
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+class PermissionEmptyModel(BaseModel):
+    id: int = Field(default=None)
+    name: str
+    label: str
+    category: PermissionCategory
+    description: str | None
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+class PermissionCreateModel(BaseModel):
+    name: str
+    label: str
+    category: PermissionCategory
+    description: str | None = None
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+####################
+# Forms
+####################
+
+
+class PermissionRoleForm(BaseModel):
+    permission_name: str
+    category: PermissionCategory
+    value: bool = False
+
+
+class PermissionAddForm(BaseModel):
+    name: str
+    label: str
+    category: PermissionCategory
+    description: str | None = None
+
+
+####################
+# Database operations
+####################
+
+
+class PermissionsTable:
+
+    def get_ordre_by_category(
+        self, role_name: str = "user"
+    ) -> dict[PermissionCategory, dict[str, bool]]:
+        with get_db() as db:
+            result = {}
+
+            # First, get the user role permissions as defaults if requesting permissions for a different role
+            if role_name != "user":
+                user_role = db.query(Role).filter_by(name="user").first()
+                if user_role:
+                    # Query the RolePermission association objects for the user role
+                    user_role_permissions = (
+                        db.query(RolePermission).filter_by(role_id=user_role.id).all()
+                    )
+
+                    # Create a mapping of permission_id to value for user role
+                    user_permission_values = {
+                        rp.permission_id: rp.value for rp in user_role_permissions
+                    }
+
+                    # Get all permissions associated with user role
+                    user_permissions = (
+                        db.query(Permission)
+                        .filter(
+                            Permission.id.in_(
+                                [rp.permission_id for rp in user_role_permissions]
+                            )
+                        )
+                        .all()
+                    )
+
+                    # Build default permissions dictionary
+                    for perm in user_permissions:
+                        category = perm.category.value
+                        if category not in result:
+                            result[category] = {}
+
+                        result[category][perm.name] = user_permission_values[perm.id]
+
+            # Now get the specified role's permissions
+            target_role = db.query(Role).filter_by(name=role_name).first()
+            if not target_role:
+                # Return user defaults if target role doesn't exist
+                return result
+
+            target_role_permissions = (
+                db.query(RolePermission).filter_by(role_id=target_role.id).all()
+            )
+            target_permission_values = {
+                rp.permission_id: rp.value for rp in target_role_permissions
+            }
+            target_permissions = (
+                db.query(Permission)
+                .filter(
+                    Permission.id.in_(
+                        [rp.permission_id for rp in target_role_permissions]
+                    )
+                )
+                .all()
+            )
+
+            # Merge target role permissions with defaults
+            for perm in target_permissions:
+                category = perm.category.value
+                if category not in result:
+                    result[category] = {}
+
+                # Override default with target role's value
+                result[category][perm.name] = target_permission_values[perm.id]
+
+            # Add all permissions from the permission table that are missing in the result
+            # with a default value of False
+            all_permissions = db.query(Permission).all()
+            for perm in all_permissions:
+                category = perm.category.value
+                if category not in result:
+                    result[category] = {}
+
+                # Only add if not already in result
+                if perm.name not in result[category]:
+                    result[category][perm.name] = False
+
+            return result
+
+    def set_initial_permissions(
+        self,
+        default_permissions: dict[PermissionCategory, dict[str, bool]],
+        default_labels: dict[PermissionCategory, dict[str, str]],
+        role_name: str = "user",
+    ) -> dict[PermissionCategory, dict[str, bool]]:
+        with get_db() as db:
+            role = db.query(Role).filter_by(name=role_name).order_by(Role.id).first()
+            if not role:
+                raise ValueError(f"Role '{role_name}' not found")
+
+            # No permissions exist, initialize with defaults
+            for category_str, perms in default_permissions.items():
+                # Convert string category to enum
+                try:
+                    category = PermissionCategory(category_str)
+                except ValueError:
+                    continue  # Skip invalid categories
+
+                for perm_name, value in perms.items():
+                    existing_permission = (
+                        db.query(Permission)
+                        .filter_by(name=perm_name, category=category)
+                        .first()
+                    )
+
+                    if not existing_permission:
+                        new_permission = Permission(
+                            name=perm_name,
+                            category=category,
+                            label=default_labels[category_str][perm_name],
+                            description=f"Default {category.value} permission for {perm_name}",
+                        )
+                        db.add(new_permission)
+                        db.flush()
+
+                        # Create the association with the value
+                        role_permission = RolePermission(
+                            role_id=role.id,
+                            permission_id=new_permission.id,
+                            value=value,
+                        )
+                        db.add(role_permission)
+                    else:
+                        if not persistent_config:
+                            # Override store permission with the ones from env.
+                            role_permission = (
+                                db.query(RolePermission)
+                                .filter_by(
+                                    role_id=role.id,
+                                    permission_id=existing_permission.id,
+                                )
+                                .first()
+                            )
+                            role_permission.value = value
+
+            try:
+                db.commit()
+            except Exception as e:
+                db.rollback()
+                raise e
+
+            # Return current permissions structure
+            return self.get_ordre_by_category()
+
+    def get(self, permission_name: str, category: PermissionCategory):
+        with get_db() as db:
+            try:
+                # Find the permission
+                db_permission = (
+                    db.query(Permission)
+                    .filter_by(name=permission_name, category=category)
+                    .first()
+                )
+
+                if not db_permission:
+                    return None
+
+                # Create and return a PermissionModel instance
+                return PermissionModel(
+                    id=db_permission.id,
+                    name=db_permission.name,
+                    label=db_permission.label,
+                    category=db_permission.category,
+                    description=db_permission.description,
+                    # Default value to False as we don't have a role context
+                    value=False,
+                )
+
+            except Exception as e:
+                print(f"Error getting permission: {e}")
+                return None
+
+    def get_all(self) -> list[PermissionEmptyModel]:
+        with get_db() as db:
+            try:
+                # Query all permissions from the database
+                db_permissions = db.query(Permission).all()
+
+                # Convert database objects to PermissionModel instances
+                permissions = [
+                    PermissionEmptyModel(
+                        id=p.id,
+                        name=p.name,
+                        label=p.label,
+                        category=p.category,
+                        description=p.description,
+                    )
+                    for p in db_permissions
+                ]
+
+                return permissions
+
+            except Exception as e:
+                print(f"Error getting all permissions: {e}")
+                return []
+
+    def add(self, permission: PermissionCreateModel) -> PermissionEmptyModel | None:
+        with get_db() as db:
+            try:
+                existing_permission = (
+                    db.query(Permission)
+                    .filter_by(name=permission.name, category=permission.category)
+                    .first()
+                )
+
+                if existing_permission:
+                    # Permission exists.
+                    return None
+
+                new_permission = Permission(
+                    name=permission.name,
+                    label=permission.label,
+                    category=permission.category,
+                    description=permission.description,
+                )
+                db.add(new_permission)
+                db.commit()
+                db.refresh(new_permission)
+
+                return PermissionEmptyModel.model_validate(new_permission)
+
+            except Exception as e:
+                print(f"Error adding permission: {e}")
+                db.rollback()
+                return None
+
+    def update(self, permission: PermissionEmptyModel) -> PermissionEmptyModel | None:
+        with get_db() as db:
+            try:
+                db_permission = (
+                    db.query(Permission)
+                    .filter_by(name=permission["name"], category=permission["category"])
+                    .first()
+                )
+
+                if not db_permission:
+                    return None
+
+                if "description" in permission:
+                    db_permission.description = permission["description"]
+
+                db.commit()
+                db.refresh(db_permission)
+
+                return PermissionEmptyModel.model_validate(db_permission)
+
+            except Exception as e:
+                print(f"Error updating permission: {e}")
+                db.rollback()
+                return None
+
+    def delete(self, permission_name: str, category: PermissionCategory) -> bool:
+        with get_db() as db:
+            try:
+                # Find the permission
+                db_permission = (
+                    db.query(Permission)
+                    .filter_by(name=permission_name, category=category)
+                    .first()
+                )
+
+                if not db_permission:
+                    return False
+
+                # Delete all role associations first to avoid foreign key constraints
+                db.query(RolePermission).filter_by(
+                    permission_id=db_permission.id
+                ).delete()
+
+                # Then delete the permission itself
+                db.delete(db_permission)
+                db.commit()
+                return True
+
+            except Exception as e:
+                print(f"Error deleting permission: {e}")
+                db.rollback()
+                return False
+
+    def link(
+        self, permission_id: int, role_id: int, value: bool = False
+    ) -> RolePermissionModel | None:
+        with get_db() as db:
+            try:
+                # Check if permission exists
+                permission = db.query(Permission).filter_by(id=permission_id).first()
+                if not permission:
+                    return None
+
+                # Check if role exists
+                role = db.query(Role).filter_by(id=role_id).first()
+                if not role:
+                    return None
+
+                # Check if the link already exists
+                existing_link = (
+                    db.query(RolePermission)
+                    .filter_by(role_id=role_id, permission_id=permission_id)
+                    .first()
+                )
+
+                if existing_link:
+                    # If link already exists, update its value
+                    existing_link.value = value
+                    db.commit()
+                    return RolePermissionModel.model_validate(existing_link)
+
+                # Create new association
+                role_permission = RolePermission(
+                    role_id=role_id, permission_id=permission_id, value=value
+                )
+                from pprint import pprint
+
+                pprint(role_permission)
+
+                db.add(role_permission)
+                db.commit()
+                db.refresh(role_permission)
+
+                return RolePermissionModel.model_validate(role_permission)
+
+            except Exception as e:
+                print(f"Error linking permission to role: {e}")
+                db.rollback()
+                return None
+
+    def unlink(self, permission_id: int, role_id: int) -> bool:
+        with get_db() as db:
+            try:
+                # Find the association
+                deleted = (
+                    db.query(RolePermission)
+                    .filter_by(role_id=role_id, permission_id=permission_id)
+                    .delete()
+                )
+
+                db.commit()
+                return deleted > 0
+
+            except Exception as e:
+                print(f"Error unlinking permission from role: {e}")
+                db.rollback()
+                return False
+
+    def exists(self, permission: PermissionModel, role_name: str = "user") -> bool:
+        with get_db() as db:
+            # First find the role
+            role = db.query(Role).filter_by(name=role_name).first()
+            if not role:
+                return False
+
+            # Then check if there's a permission with this name and category
+            db_permission = (
+                db.query(Permission)
+                .filter_by(name=permission["name"], category=permission["category"])
+                .first()
+            )
+
+            if not db_permission:
+                return False
+
+            # Finally, check if there's an association between them
+            association = (
+                db.query(RolePermission)
+                .filter_by(role_id=role.id, permission_id=db_permission.id)
+                .first()
+            )
+
+            return association is not None
+
+
+Permissions = PermissionsTable()
diff --git a/backend/open_webui/models/roles.py b/backend/open_webui/models/roles.py
new file mode 100644
index 00000000000..caabc738045
--- /dev/null
+++ b/backend/open_webui/models/roles.py
@@ -0,0 +1,151 @@
+import time
+
+from typing import Optional
+from pydantic import BaseModel, ConfigDict
+from sqlalchemy import Boolean, BigInteger, Column, String, Integer, ForeignKey
+from sqlalchemy.orm import relationship
+
+from open_webui.internal.db import Base, get_db
+
+
+####################
+# Association table for the many-to-many relationship (role <-> permission) with value
+####################
+class RolePermission(Base):
+    __tablename__ = "role_permissions"
+
+    role_id = Column(Integer, ForeignKey("roles.id"), primary_key=True)
+    permission_id = Column(Integer, ForeignKey("permissions.id"), primary_key=True)
+    value = Column(Boolean, default=False)
+
+    # Add relationships to both sides
+    role = relationship("Role", back_populates="permission_associations")
+    permission = relationship("Permission", back_populates="role_associations")
+
+
+####################
+# Role DB Schema
+####################
+
+
+class Role(Base):
+    __tablename__ = "roles"
+
+    id = Column(Integer, primary_key=True)
+    name = Column(String)
+    updated_at = Column(BigInteger)
+    created_at = Column(BigInteger)
+
+    permission_associations = relationship("RolePermission", back_populates="role")
+
+    @property
+    def permissions(self):
+        return [assoc.permission for assoc in self.permission_associations]
+
+
+class RoleModel(BaseModel):
+    id: int
+    name: str
+    updated_at: int
+    created_at: int
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+####################
+# Forms
+####################
+
+
+class RoleForm(BaseModel):
+    role: str
+
+
+class RolesTable:
+    def insert_new_role(
+        self,
+        name: str,
+    ) -> Optional[RoleModel]:
+        with get_db() as db:
+            result = Role(
+                name=name, created_at=int(time.time()), updated_at=int(time.time())
+            )
+            db.add(result)
+            db.commit()
+            db.refresh(result)
+            if result:
+                return RoleModel.model_validate(result)
+
+            return None
+
+    def get_role_by_id(self, id: str) -> Optional[RoleModel]:
+        try:
+            with get_db() as db:
+                role = db.query(Role).filter_by(id=id).first()
+                return RoleModel.model_validate(role)
+        except Exception:
+            return None
+
+    def get_role_by_name(self, name: str) -> Optional[RoleModel]:
+        try:
+            with get_db() as db:
+                role = db.query(Role).filter_by(name=name).first()
+                return RoleModel.model_validate(role)
+        except Exception:
+            return None
+
+    def update_name_by_id(self, role_id: str, name: str) -> Optional[RoleModel]:
+        with get_db() as db:
+            db.query(Role).filter_by(id=role_id).update(
+                {"name": name, "updated_at": int(time.time())}
+            )
+            db.commit()
+            return self.get_role_by_id(role_id)
+
+    def get_roles(
+        self, skip: Optional[int] = None, limit: Optional[int] = None
+    ) -> list[RoleModel]:
+        with get_db() as db:
+
+            query = db.query(Role).order_by(Role.id)
+
+            if skip:
+                query = query.offset(skip)
+            if limit:
+                query = query.limit(limit)
+
+            roles = query.all()
+
+            return [RoleModel.model_validate(role) for role in roles]
+
+    def get_num_roles(self) -> Optional[int]:
+        with get_db() as db:
+            return db.query(Role).count()
+
+    def delete_by_id(self, role_id: str) -> bool:
+        try:
+            with get_db() as db:
+                db.query(Role).filter_by(id=role_id).delete()
+                db.commit()
+
+            return True
+        except Exception:
+            return False
+
+    def add_role_if_role_do_not_exists(self, role_name: str) -> Optional[RoleModel]:
+        # Check if role already exists
+        existing_role = self.get_role_by_name(role_name)
+        if existing_role:
+            return existing_role
+
+        # Role is allowed and doesn't exist, so create it
+        try:
+            return self.insert_new_role(name=role_name)
+        except Exception:
+            return None
+
+    def exists(self, role_name: str) -> bool:
+        return self.get_role_by_name(role_name) is not None
+
+
+Roles = RolesTable()
diff --git a/backend/open_webui/routers/auths.py b/backend/open_webui/routers/auths.py
index 793bdfd30a2..bbdbd33c2bb 100644
--- a/backend/open_webui/routers/auths.py
+++ b/backend/open_webui/routers/auths.py
@@ -48,6 +48,7 @@
 )
 from open_webui.utils.webhook import post_webhook
 from open_webui.utils.access_control import get_permissions
+from open_webui.models.permissions import Permissions
 
 from typing import Optional, List
 
@@ -108,7 +109,7 @@ async def get_session_user(
         )
 
     user_permissions = get_permissions(
-        user.id, request.app.state.config.USER_PERMISSIONS
+        user.id, Permissions.get_ordre_by_category(user.role)
     )
 
     return {
@@ -329,7 +330,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                 )
 
                 user_permissions = get_permissions(
-                    user.id, request.app.state.config.USER_PERMISSIONS
+                    user.id, Permissions.get_ordre_by_category(user.role)
                 )
 
                 return {
@@ -427,7 +428,7 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
         )
 
         user_permissions = get_permissions(
-            user.id, request.app.state.config.USER_PERMISSIONS
+            user.id, Permissions.get_ordre_by_category(user.role)
         )
 
         return {
@@ -537,7 +538,7 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
                 )
 
             user_permissions = get_permissions(
-                user.id, request.app.state.config.USER_PERMISSIONS
+                user.id, Permissions.get_ordre_by_category(user.role)
             )
 
             if user_count == 0:
diff --git a/backend/open_webui/routers/permissions.py b/backend/open_webui/routers/permissions.py
new file mode 100644
index 00000000000..f0966c3d5aa
--- /dev/null
+++ b/backend/open_webui/routers/permissions.py
@@ -0,0 +1,49 @@
+import logging
+from typing import Optional
+from fastapi import APIRouter, Depends, HTTPException, status
+
+from open_webui.constants import ERROR_MESSAGES
+from open_webui.env import SRC_LOG_LEVELS
+from open_webui.utils.auth import get_admin_user
+from open_webui.models.roles import RoleForm
+from open_webui.models.permissions import (
+    Permissions,
+    PermissionModel,
+    PermissionCreateModel,
+    PermissionEmptyModel,
+    PermissionCategory,
+    PermissionAddForm,
+)
+
+
+log = logging.getLogger(__name__)
+log.setLevel(SRC_LOG_LEVELS["MODELS"])
+
+router = APIRouter()
+
+
+############################
+# GetPermissions
+############################
+
+
+@router.get("/", response_model=list[PermissionEmptyModel])
+async def get_permissions(user=Depends(get_admin_user)):
+    return Permissions.get_all()
+
+
+############################
+# AddPermission
+############################
+
+
+@router.post("/", response_model=Optional[PermissionEmptyModel])
+async def add_permissions(form_data: PermissionAddForm, user=Depends(get_admin_user)):
+    permission = Permissions.add(permission=form_data)
+    if permission:
+        return permission
+
+    raise HTTPException(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        detail="Something went wrong. Please try again.",
+    )
diff --git a/backend/open_webui/routers/roles.py b/backend/open_webui/routers/roles.py
new file mode 100644
index 00000000000..cd2732b0188
--- /dev/null
+++ b/backend/open_webui/routers/roles.py
@@ -0,0 +1,198 @@
+import logging
+from typing import Optional
+from fastapi import APIRouter, Depends, HTTPException, status
+
+from open_webui.constants import ERROR_MESSAGES
+from open_webui.env import SRC_LOG_LEVELS
+from open_webui.utils.auth import get_admin_user
+from open_webui.models.roles import RoleModel, Roles, RoleForm
+from open_webui.models.permissions import (
+    Permissions,
+    PermissionModel,
+    PermissionCategory,
+    PermissionRoleForm,
+)
+
+
+log = logging.getLogger(__name__)
+log.setLevel(SRC_LOG_LEVELS["MODELS"])
+
+router = APIRouter()
+
+
+############################
+# GetRoles
+############################
+
+
+@router.get("/", response_model=list[RoleModel])
+async def get_roles(
+    skip: Optional[int] = None,
+    limit: Optional[int] = None,
+    user=Depends(get_admin_user),
+):
+    return Roles.get_roles(skip, limit)
+
+
+############################
+# AddRole
+############################
+
+
+@router.post("/", response_model=Optional[RoleModel])
+async def add_role(form_data: RoleForm, user=Depends(get_admin_user)):
+    # Check if the role already exists
+    existing_role = Roles.get_role_by_name(name=form_data.role)
+    if existing_role:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=ERROR_MESSAGES.ROLE_ALREADY_EXISTS(role=form_data.role),
+        )
+
+    return Roles.insert_new_role(name=form_data.role)
+
+
+############################
+# UpdateRoleById
+############################
+
+
+@router.post("/{role_id}", response_model=Optional[RoleModel])
+async def update_role_name(
+    role_id: int, form_data: RoleForm, user=Depends(get_admin_user)
+):
+    # Check if the role already exists
+    existing_role = Roles.get_role_by_id(role_id)
+    if not existing_role:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=ERROR_MESSAGES.ROLE_DO_NOT_EXISTS,
+        )
+
+    return Roles.update_name_by_id(role_id, form_data.role)
+
+
+############################
+# DeleteRoleById
+############################
+
+
+@router.delete("/{role_name}", response_model=bool)
+async def delete_role_by_id(role_name: str, user=Depends(get_admin_user)):
+    role = Roles.get_role_by_name(role_name)
+    if not role:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=ERROR_MESSAGES.ROLE_DO_NOT_EXISTS,
+        )
+
+    result = Roles.delete_by_id(role.id)
+    if result:
+        return True
+
+    raise HTTPException(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        detail=ERROR_MESSAGES.ROLE_DELETE_ERROR,
+    )
+
+
+############################
+# GetPermissionForRole
+############################
+
+
+@router.get("/{role_name}/permissions")
+async def get_default_permissions_by_role_name(
+    role_name: str, user=Depends(get_admin_user)
+):
+    if not Roles.exists(role_name):
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=ERROR_MESSAGES.ROLE_NOT_FOUND,
+        )
+
+    permissions = Permissions.get_ordre_by_category(role_name)
+
+    if permissions:
+        return permissions
+
+    raise HTTPException(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        detail=ERROR_MESSAGES.PERMISSION_FETCH_FAILED,
+    )
+
+
+############################
+# LinkPermissionToRole
+###########################
+
+
+@router.post("/{role_name}/permission/link")
+async def link_default_permission_to_role(
+    role_name: str, form_data: PermissionRoleForm, user=Depends(get_admin_user)
+):
+    permission = Permissions.get(form_data.permission_name, form_data.category)
+    if not permission:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=ERROR_MESSAGES.PERMISSION_NOT_FOUND(
+                name=form_data.permission_name, category=form_data.category.value
+            ),
+        )
+
+    role = Roles.get_role_by_name(role_name)
+    if not role:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=ERROR_MESSAGES.ROLE_NOT_FOUND,
+        )
+
+    result = Permissions.link(
+        permission_id=permission.id, role_id=role.id, value=form_data.value
+    )
+    if result:
+        return True
+
+    raise HTTPException(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        detail=ERROR_MESSAGES.ROLE_ERROR,
+    )
+
+
+############################
+# UnlinkPermissionToRole
+###########################
+
+
+@router.delete("/{role_name}/permission/{permission_category}/{permission_name}")
+async def unlink_default_permission_from_role(
+    role_name: str,
+    permission_name: str,
+    category: PermissionCategory,
+    user=Depends(get_admin_user),
+):
+
+    role = Roles.get_role_by_name(role_name)
+    if not role:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=ERROR_MESSAGES.ROLE_NOT_FOUND,
+        )
+
+    permission = Permissions.get(permission_name, category)
+    if not permission:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=ERROR_MESSAGES.PERMISSION_NOT_FOUND(
+                name=permission_name, category=category
+            ),
+        )
+
+    result = Permissions.unlink(permission_id=permission.id, role_id=role.id)
+    if result:
+        return True
+
+    raise HTTPException(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        detail=ERROR_MESSAGES.ROLE_ERROR,
+    )
diff --git a/backend/open_webui/routers/users.py b/backend/open_webui/routers/users.py
index 8702ae50bae..f71fbfcd528 100644
--- a/backend/open_webui/routers/users.py
+++ b/backend/open_webui/routers/users.py
@@ -20,9 +20,18 @@
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from pydantic import BaseModel
 
-from open_webui.utils.auth import get_admin_user, get_password_hash, get_verified_user
-from open_webui.utils.access_control import get_permissions, has_permission
-
+from open_webui.utils.auth import (
+    get_admin_user,
+    get_password_hash,
+    get_verified_user,
+    get_current_user,
+)
+from open_webui.utils.access_control import get_permissions
+from open_webui.models.permissions import (
+    Permissions,
+    PermissionCategory,
+    PermissionModel,
+)
 
 log = logging.getLogger(__name__)
 log.setLevel(SRC_LOG_LEVELS["MODELS"])
@@ -86,7 +95,7 @@ async def get_user_groups(user=Depends(get_verified_user)):
 @router.get("/permissions")
 async def get_user_permissisions(request: Request, user=Depends(get_verified_user)):
     user_permissions = get_permissions(
-        user.id, request.app.state.config.USER_PERMISSIONS
+        user.id, Permissions.get_ordre_by_category(user.role)
     )
 
     return user_permissions
@@ -139,30 +148,43 @@ class UserPermissions(BaseModel):
     features: FeaturesPermissions
 
 
-@router.get("/default/permissions", response_model=UserPermissions)
+@router.get(
+    "/default/permissions", response_model=dict[PermissionCategory, dict[str, bool]]
+)
 async def get_default_user_permissions(request: Request, user=Depends(get_admin_user)):
-    return {
-        "workspace": WorkspacePermissions(
-            **request.app.state.config.USER_PERMISSIONS.get("workspace", {})
-        ),
-        "sharing": SharingPermissions(
-            **request.app.state.config.USER_PERMISSIONS.get("sharing", {})
-        ),
-        "chat": ChatPermissions(
-            **request.app.state.config.USER_PERMISSIONS.get("chat", {})
-        ),
-        "features": FeaturesPermissions(
-            **request.app.state.config.USER_PERMISSIONS.get("features", {})
-        ),
-    }
+    return Permissions.get_ordre_by_category()
 
 
 @router.post("/default/permissions")
 async def update_default_user_permissions(
-    request: Request, form_data: UserPermissions, user=Depends(get_admin_user)
+    form_data: UserPermissions, user=Depends(get_admin_user)
 ):
-    request.app.state.config.USER_PERMISSIONS = form_data.model_dump()
-    return request.app.state.config.USER_PERMISSIONS
+    permissions_dict = form_data.model_dump()
+
+    for category_str, permissions in permissions_dict.items():
+        try:
+            category = PermissionCategory(category_str)
+
+            for permission_name, value in permissions.items():
+                permission_data = {
+                    "name": permission_name,
+                    "category": category,
+                    "value": value,
+                    "description": f"Default {category.value} permission for {permission_name}",
+                }
+
+                if Permissions.exists(permission_data):
+                    print(f"Updating existing permission: {permission_data}")
+                    Permissions.update(permission_data)
+                else:
+                    print(f"Adding new permission: {permission_data}")
+                    Permissions.add(permission_data)
+
+        except ValueError:
+            # Skip invalid categories
+            continue
+
+    return Permissions.get_ordre_by_category()
 
 
 ############################
diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
index f6004515fc6..64cc7885cf8 100644
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -16,6 +16,8 @@
 
 from open_webui.models.auths import Auths
 from open_webui.models.users import Users
+
+from open_webui.models.roles import Roles
 from open_webui.models.groups import Groups, GroupModel, GroupUpdateForm, GroupForm
 from open_webui.config import (
     DEFAULT_USER_ROLE,
@@ -87,6 +89,17 @@ def __init__(self, app):
     def get_client(self, provider_name):
         return self.oauth.create_client(provider_name)
 
+    def find_first_role_match(self, oauth_roles, allowed_roles):
+        # Convert to sets for more efficient lookup if lists are large
+        oauth_roles_set = set(oauth_roles)
+        allowed_roles_set = set(allowed_roles)
+
+        # Find the intersection of the two sets
+        matching_roles = oauth_roles_set.intersection(allowed_roles_set)
+
+        # Return the first matching role if any matches found
+        return next(iter(matching_roles), None)
+
     def get_user_role(self, user, user_data):
         if user and Users.get_num_users() == 1:
             # If the user is the only user, assign the role "admin" - actually repairs role for single user on login
@@ -125,8 +138,17 @@ def get_user_role(self, user, user_data):
                 for allowed_role in oauth_allowed_roles:
                     # If the user has any of the allowed roles, assign the role "user"
                     if allowed_role in oauth_roles:
-                        log.debug("Assigned user the user role")
-                        role = "user"
+                        first_match = self.find_first_role_match(
+                            oauth_roles, oauth_allowed_roles
+                        )
+                        if first_match:
+                            Roles.add_role_if_role_do_not_exists(first_match)
+                            role = first_match
+                        else:
+                            # Fallback to role user.
+                            role = "user"
+
+                        log.debug(f"Assigned user the {role} role")
                         break
                 for admin_role in oauth_admin_roles:
                     # If the user has any of the admin roles, assign the role "admin"
diff --git a/src/lib/apis/permissions/index.ts b/src/lib/apis/permissions/index.ts
new file mode 100644
index 00000000000..df2edd6d6f0
--- /dev/null
+++ b/src/lib/apis/permissions/index.ts
@@ -0,0 +1,67 @@
+import { WEBUI_API_BASE_URL } from '$lib/constants';
+
+export const getPermissions = async (token: string) => {
+	let error = null;
+
+	const res = await fetch(`${WEBUI_API_BASE_URL}/permissions/`, {
+		method: 'GET',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		}
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
+
+export const addPermission = async (
+	token: string,
+	category: string,
+	name: string,
+	label: string,
+	description: string
+) => {
+	let error = null;
+
+	const res = await fetch(`${WEBUI_API_BASE_URL}/permissions/`, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		},
+		body: JSON.stringify({
+			name: name,
+			label: label,
+			category: category,
+			description: description
+		})
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
diff --git a/src/lib/apis/roles/index.ts b/src/lib/apis/roles/index.ts
new file mode 100644
index 00000000000..d7876aa50cf
--- /dev/null
+++ b/src/lib/apis/roles/index.ts
@@ -0,0 +1,214 @@
+import { WEBUI_API_BASE_URL } from '$lib/constants';
+
+export const getRoles = async (token: string) => {
+	let error = null;
+
+	const res = await fetch(`${WEBUI_API_BASE_URL}/roles/`, {
+		method: 'GET',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		}
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
+
+export const addRole = async (token: string, roleName: string) => {
+	let error = null;
+
+	const res = await fetch(`${WEBUI_API_BASE_URL}/roles/`, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		},
+		body: JSON.stringify({
+			role: roleName
+		})
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
+
+export const updateRole = async (token: string, roleId: number, roleName: string) => {
+	let error = null;
+
+	const res = await fetch(`${WEBUI_API_BASE_URL}/roles/${roleId}`, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		},
+		body: JSON.stringify({
+			role: roleName
+		})
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
+
+export const deleteRole = async (token: string, roleName: string) => {
+	let error = null;
+
+	const res = await fetch(`${WEBUI_API_BASE_URL}/roles/${roleName}`, {
+		method: 'DELETE',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		}
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
+
+export const getRolePermissions = async (token: string, roleName: string) => {
+	let error = null;
+
+	const res = await fetch(`${WEBUI_API_BASE_URL}/roles/${roleName}/permissions`, {
+		method: 'GET',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		}
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
+
+export const linkRoleToPermissions = async (
+	token: string,
+	roleName: string,
+	categoryName: string,
+	permissionName: string,
+	value: boolean
+) => {
+	let error = null;
+	const res = await fetch(`${WEBUI_API_BASE_URL}/roles/${roleName}/permission/link`, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/json',
+			Authorization: `Bearer ${token}`
+		},
+		body: JSON.stringify({
+			permission_name: permissionName,
+			category: categoryName,
+			value: value
+		})
+	})
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
+
+export const unlinkRoleFromPermissions = async (
+	token: string,
+	roleName: string,
+	categoryName: string,
+	permissionName: string
+) => {
+	let error = null;
+
+	const res = await fetch(
+		`${WEBUI_API_BASE_URL}/roles/${roleName}/permission/${categoryName}/${permissionName}`,
+		{
+			method: 'DELETE',
+			headers: {
+				'Content-Type': 'application/json',
+				Authorization: `Bearer ${token}`
+			}
+		}
+	)
+		.then(async (res) => {
+			if (!res.ok) throw await res.json();
+			return res.json();
+		})
+		.catch((err) => {
+			console.log(err);
+			error = err.detail;
+			return null;
+		});
+
+	if (error) {
+		throw error;
+	}
+
+	return res;
+};
diff --git a/src/lib/components/admin/Users.svelte b/src/lib/components/admin/Users.svelte
index e777757e0ea..1d66d62554e 100644
--- a/src/lib/components/admin/Users.svelte
+++ b/src/lib/components/admin/Users.svelte
@@ -7,6 +7,9 @@
 
 	import UserList from './Users/UserList.svelte';
 	import Groups from './Users/Groups.svelte';
+	import Roles from './Users/RoleList.svelte';
+	import PermissionList from './Users/PermissionList.svelte';
+	import WrenchSolid from '$lib/components/icons/WrenchSolid.svelte';
 
 	const i18n = getContext('i18n');
 
@@ -85,6 +88,45 @@
 			</div>
 			<div class=" self-center">{$i18n.t('Groups')}</div>
 		</button>
+
+		<button
+			class="px-0.5 py-1 min-w-fit rounded-lg lg:flex-none flex text-right transition {selectedTab ===
+			'roles'
+				? ''
+				: ' text-gray-300 dark:text-gray-600 hover:text-gray-700 dark:hover:text-white'}"
+			on:click={() => {
+				selectedTab = 'roles';
+			}}
+		>
+			<div class=" self-center mr-2">
+				<svg
+					xmlns="http://www.w3.org/2000/svg"
+					viewBox="0 0 640 512"
+					fill="currentColor"
+					class="size-4"
+				>
+					<path
+						d="M144 160A80 80 0 1 0 144 0a80 80 0 1 0 0 160zm368 0A80 80 0 1 0 512 0a80 80 0 1 0 0 160zM0 298.7C0 310.4 9.6 320 21.3 320l213.3 0c.2 0 .4 0 .7 0c-26.6-23.5-43.3-57.8-43.3-96c0-7.6 .7-15 1.9-22.3c-13.6-6.3-28.7-9.7-44.6-9.7l-42.7 0C47.8 192 0 239.8 0 298.7zM320 320c24 0 45.9-8.8 62.7-23.3c2.5-3.7 5.2-7.3 8-10.7c2.7-3.3 5.7-6.1 9-8.3C410 262.3 416 243.9 416 224c0-53-43-96-96-96s-96 43-96 96s43 96 96 96zm65.4 60.2c-10.3-5.9-18.1-16.2-20.8-28.2l-103.2 0C187.7 352 128 411.7 128 485.3c0 14.7 11.9 26.7 26.7 26.7l300.6 0c-2.1-5.2-3.2-10.9-3.2-16.4l0-3c-1.3-.7-2.7-1.5-4-2.3l-2.6 1.5c-16.8 9.7-40.5 8-54.7-9.7c-4.5-5.6-8.6-11.5-12.4-17.6l-.1-.2-.1-.2-2.4-4.1-.1-.2-.1-.2c-3.4-6.2-6.4-12.6-9-19.3c-8.2-21.2 2.2-42.6 19-52.3l2.7-1.5c0-.8 0-1.5 0-2.3s0-1.5 0-2.3l-2.7-1.5zM533.3 192l-42.7 0c-15.9 0-31 3.5-44.6 9.7c1.3 7.2 1.9 14.7 1.9 22.3c0 17.4-3.5 33.9-9.7 49c2.5 .9 4.9 2 7.1 3.3l2.6 1.5c1.3-.8 2.6-1.6 4-2.3l0-3c0-19.4 13.3-39.1 35.8-42.6c7.9-1.2 16-1.9 24.2-1.9s16.3 .6 24.2 1.9c22.5 3.5 35.8 23.2 35.8 42.6l0 3c1.3 .7 2.7 1.5 4 2.3l2.6-1.5c16.8-9.7 40.5-8 54.7 9.7c2.3 2.8 4.5 5.8 6.6 8.7c-2.1-57.1-49-102.7-106.6-102.7zm91.3 163.9c6.3-3.6 9.5-11.1 6.8-18c-2.1-5.5-4.6-10.8-7.4-15.9l-2.3-4c-3.1-5.1-6.5-9.9-10.2-14.5c-4.6-5.7-12.7-6.7-19-3l-2.9 1.7c-9.2 5.3-20.4 4-29.6-1.3s-16.1-14.5-16.1-25.1l0-3.4c0-7.3-4.9-13.8-12.1-14.9c-6.5-1-13.1-1.5-19.9-1.5s-13.4 .5-19.9 1.5c-7.2 1.1-12.1 7.6-12.1 14.9l0 3.4c0 10.6-6.9 19.8-16.1 25.1s-20.4 6.6-29.6 1.3l-2.9-1.7c-6.3-3.6-14.4-2.6-19 3c-3.7 4.6-7.1 9.5-10.2 14.6l-2.3 3.9c-2.8 5.1-5.3 10.4-7.4 15.9c-2.6 6.8 .5 14.3 6.8 17.9l2.9 1.7c9.2 5.3 13.7 15.8 13.7 26.4s-4.5 21.1-13.7 26.4l-3 1.7c-6.3 3.6-9.5 11.1-6.8 17.9c2.1 5.5 4.6 10.7 7.4 15.8l2.4 4.1c3 5.1 6.4 9.9 10.1 14.5c4.6 5.7 12.7 6.7 19 3l2.9-1.7c9.2-5.3 20.4-4 29.6 1.3s16.1 14.5 16.1 25.1l0 3.4c0 7.3 4.9 13.8 12.1 14.9c6.5 1 13.1 1.5 19.9 1.5s13.4-.5 19.9-1.5c7.2-1.1 12.1-7.6 12.1-14.9l0-3.4c0-10.6 6.9-19.8 16.1-25.1s20.4-6.6 29.6-1.3l2.9 1.7c6.3 3.6 14.4 2.6 19-3c3.7-4.6 7.1-9.4 10.1-14.5l2.4-4.2c2.8-5.1 5.3-10.3 7.4-15.8c2.6-6.8-.5-14.3-6.8-17.9l-3-1.7c-9.2-5.3-13.7-15.8-13.7-26.4s4.5-21.1 13.7-26.4l3-1.7zM472 384a40 40 0 1 1 80 0 40 40 0 1 1 -80 0z"
+					/>
+				</svg>
+			</div>
+			<div class=" self-center">{$i18n.t('Roles')}</div>
+		</button>
+
+		<button
+			class="px-0.5 py-1 min-w-fit rounded-lg lg:flex-none flex text-right transition {selectedTab ===
+			'permissions'
+				? ''
+				: ' text-gray-300 dark:text-gray-600 hover:text-gray-700 dark:hover:text-white'}"
+			on:click={() => {
+				selectedTab = 'permissions';
+			}}
+		>
+			<div class=" self-center mr-2">
+				<WrenchSolid />
+			</div>
+			<div class=" self-center">{$i18n.t('Permissions')}</div>
+		</button>
 	</div>
 
 	<div class="flex-1 mt-1 lg:mt-0 overflow-y-scroll">
@@ -92,6 +134,10 @@
 			<UserList />
 		{:else if selectedTab === 'groups'}
 			<Groups />
+		{:else if selectedTab === 'roles'}
+			<Roles />
+		{:else if selectedTab === 'permissions'}
+			<PermissionList />
 		{/if}
 	</div>
 </div>
diff --git a/src/lib/components/admin/Users/Groups.svelte b/src/lib/components/admin/Users/Groups.svelte
index 70e5832ea62..93312a8cfa8 100644
--- a/src/lib/components/admin/Users/Groups.svelte
+++ b/src/lib/components/admin/Users/Groups.svelte
@@ -50,41 +50,7 @@
 	});
 
 	let search = '';
-	let defaultPermissions = {
-		workspace: {
-			models: false,
-			knowledge: false,
-			prompts: false,
-			tools: false
-		},
-		sharing: {
-			public_models: false,
-			public_knowledge: false,
-			public_prompts: false,
-			public_tools: false
-		},
-		chat: {
-			controls: true,
-			file_upload: true,
-			delete: true,
-			edit: true,
-			share: true,
-			export: true,
-			stt: true,
-			tts: true,
-			call: true,
-			multiple_models: true,
-			temporary: true,
-			temporary_enforced: false
-		},
-		features: {
-			direct_tool_servers: false,
-			web_search: true,
-			image_generation: true,
-			code_interpreter: true,
-			notes: true
-		}
-	};
+	let defaultPermissions = {};
 
 	let showCreateGroupModal = false;
 	let showDefaultPermissionsModal = false;
diff --git a/src/lib/components/admin/Users/Groups/EditGroupModal.svelte b/src/lib/components/admin/Users/Groups/EditGroupModal.svelte
index 8cc353064c1..3837056ec8d 100644
--- a/src/lib/components/admin/Users/Groups/EditGroupModal.svelte
+++ b/src/lib/components/admin/Users/Groups/EditGroupModal.svelte
@@ -5,11 +5,12 @@
 
 	import Modal from '$lib/components/common/Modal.svelte';
 	import Display from './Display.svelte';
-	import Permissions from './Permissions.svelte';
+	import Permissions from '$lib/components/common/Permissions.svelte';
 	import Users from './Users.svelte';
 	import UserPlusSolid from '$lib/components/icons/UserPlusSolid.svelte';
 	import WrenchSolid from '$lib/components/icons/WrenchSolid.svelte';
 	import ConfirmDialog from '$lib/components/common/ConfirmDialog.svelte';
+	import { getUserDefaultPermissions } from '$lib/apis/users';
 
 	export let onSubmit: Function = () => {};
 	export let onDelete: Function = () => {};
@@ -31,33 +32,8 @@
 	export let name = '';
 	export let description = '';
 
-	export let permissions = {
-		workspace: {
-			models: false,
-			knowledge: false,
-			prompts: false,
-			tools: false
-		},
-		sharing: {
-			public_models: false,
-			public_knowledge: false,
-			public_prompts: false,
-			public_tools: false
-		},
-		chat: {
-			controls: true,
-			file_upload: true,
-			delete: true,
-			edit: true,
-			temporary: true
-		},
-		features: {
-			direct_tool_servers: false,
-			web_search: true,
-			image_generation: true,
-			code_interpreter: true
-		}
-	};
+	export let defaultPermissions = {};
+	export let permissions = {};
 	export let userIds = [];
 
 	const submitHandler = async () => {
@@ -90,7 +66,12 @@
 		init();
 	}
 
-	onMount(() => {
+	onMount(async () => {
+		defaultPermissions = await getUserDefaultPermissions(localStorage.token).catch((error) => {
+			toast.error(`${error}`);
+			return [];
+		});
+		console.log(tabs);
 		selectedTab = tabs[0];
 		init();
 	});
@@ -223,7 +204,7 @@
 							{#if selectedTab == 'general'}
 								<Display bind:name bind:description />
 							{:else if selectedTab == 'permissions'}
-								<Permissions bind:permissions />
+								<Permissions bind:permissions bind:defaultPermissions />
 							{:else if selectedTab == 'users'}
 								<Users bind:userIds {users} />
 							{/if}
diff --git a/src/lib/components/admin/Users/Groups/Permissions.svelte b/src/lib/components/admin/Users/Groups/Permissions.svelte
deleted file mode 100644
index 6af935813bb..00000000000
--- a/src/lib/components/admin/Users/Groups/Permissions.svelte
+++ /dev/null
@@ -1,393 +0,0 @@
-<script lang="ts">
-	import { getContext, onMount } from 'svelte';
-	const i18n = getContext('i18n');
-
-	import Switch from '$lib/components/common/Switch.svelte';
-	import Tooltip from '$lib/components/common/Tooltip.svelte';
-
-	// Default values for permissions
-	const defaultPermissions = {
-		workspace: {
-			models: false,
-			knowledge: false,
-			prompts: false,
-			tools: false
-		},
-		sharing: {
-			public_models: false,
-			public_knowledge: false,
-			public_prompts: false,
-			public_tools: false
-		},
-		chat: {
-			controls: true,
-			file_upload: true,
-			delete: true,
-			edit: true,
-			share: true,
-			export: true,
-			stt: true,
-			tts: true,
-			call: true,
-			multiple_models: true,
-			temporary: true,
-			temporary_enforced: false
-		},
-		features: {
-			direct_tool_servers: false,
-			web_search: true,
-			image_generation: true,
-			code_interpreter: true,
-			notes: true
-		}
-	};
-
-	export let permissions = {};
-
-	// Reactive statement to ensure all fields are present in `permissions`
-	$: {
-		permissions = fillMissingProperties(permissions, defaultPermissions);
-	}
-
-	function fillMissingProperties(obj: any, defaults: any) {
-		return {
-			...defaults,
-			...obj,
-			workspace: { ...defaults.workspace, ...obj.workspace },
-			sharing: { ...defaults.sharing, ...obj.sharing },
-			chat: { ...defaults.chat, ...obj.chat },
-			features: { ...defaults.features, ...obj.features }
-		};
-	}
-
-	onMount(() => {
-		permissions = fillMissingProperties(permissions, defaultPermissions);
-	});
-</script>
-
-<div>
-	<!-- <div>
-		<div class=" mb-2 text-sm font-medium">{$i18n.t('Model Permissions')}</div>
-
-		<div class="mb-2">
-			<div class="flex justify-between items-center text-xs pr-2">
-				<div class=" text-xs font-medium">{$i18n.t('Model Filtering')}</div>
-
-				<Switch bind:state={permissions.model.filter} />
-			</div>
-		</div>
-
-		{#if permissions.model.filter}
-			<div class="mb-2">
-				<div class=" space-y-1.5">
-					<div class="flex flex-col w-full">
-						<div class="mb-1 flex justify-between">
-							<div class="text-xs text-gray-500">{$i18n.t('Model IDs')}</div>
-						</div>
-
-						{#if model_ids.length > 0}
-							<div class="flex flex-col">
-								{#each model_ids as modelId, modelIdx}
-									<div class=" flex gap-2 w-full justify-between items-center">
-										<div class=" text-sm flex-1 rounded-lg">
-											{modelId}
-										</div>
-										<div class="shrink-0">
-											<button
-												type="button"
-												on:click={() => {
-													model_ids = model_ids.filter((_, idx) => idx !== modelIdx);
-												}}
-											>
-												<Minus strokeWidth="2" className="size-3.5" />
-											</button>
-										</div>
-									</div>
-								{/each}
-							</div>
-						{:else}
-							<div class="text-gray-500 text-xs text-center py-2 px-10">
-								{$i18n.t('No model IDs')}
-							</div>
-						{/if}
-					</div>
-				</div>
-				<hr class=" border-gray-100 dark:border-gray-700/10 mt-2.5 mb-1 w-full" />
-
-				<div class="flex items-center">
-					<select
-						class="w-full py-1 text-sm rounded-lg bg-transparent {selectedModelId
-							? ''
-							: 'text-gray-500'} placeholder:text-gray-300 dark:placeholder:text-gray-700 outline-hidden"
-						bind:value={selectedModelId}
-					>
-						<option value="">{$i18n.t('Select a model')}</option>
-						{#each $models.filter((m) => m?.owned_by !== 'arena') as model}
-							<option value={model.id} class="bg-gray-50 dark:bg-gray-700">{model.name}</option>
-						{/each}
-					</select>
-
-					<div>
-						<button
-							type="button"
-							on:click={() => {
-								if (selectedModelId && !permissions.model.model_ids.includes(selectedModelId)) {
-									permissions.model.model_ids = [...permissions.model.model_ids, selectedModelId];
-									selectedModelId = '';
-								}
-							}}
-						>
-							<Plus className="size-3.5" strokeWidth="2" />
-						</button>
-					</div>
-				</div>
-			</div>
-		{/if}
-
-		<div class=" space-y-1 mb-3">
-			<div class="">
-				<div class="flex justify-between items-center text-xs">
-					<div class=" text-xs font-medium">{$i18n.t('Default Model')}</div>
-				</div>
-			</div>
-
-			<div class="flex-1 mr-2">
-				<select
-					class="w-full bg-transparent outline-hidden py-0.5 text-sm"
-					bind:value={permissions.model.default_id}
-					placeholder="Select a model"
-				>
-					<option value="" disabled selected>{$i18n.t('Select a model')}</option>
-					{#each permissions.model.filter ? $models.filter( (model) => filterModelIds.includes(model.id) ) : $models.filter((model) => model.id) as model}
-						<option value={model.id} class="bg-gray-100 dark:bg-gray-700">{model.name}</option>
-					{/each}
-				</select>
-			</div>
-		</div>
-	</div>
-
-	<hr class=" border-gray-100 dark:border-gray-850 my-2" /> -->
-
-	<div>
-		<div class=" mb-2 text-sm font-medium">{$i18n.t('Workspace Permissions')}</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Models Access')}
-			</div>
-			<Switch bind:state={permissions.workspace.models} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Knowledge Access')}
-			</div>
-			<Switch bind:state={permissions.workspace.knowledge} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Prompts Access')}
-			</div>
-			<Switch bind:state={permissions.workspace.prompts} />
-		</div>
-
-		<div class=" ">
-			<Tooltip
-				className=" flex w-full justify-between my-2 pr-2"
-				content={$i18n.t(
-					'Warning: Enabling this will allow users to upload arbitrary code on the server.'
-				)}
-				placement="top-start"
-			>
-				<div class=" self-center text-xs font-medium">
-					{$i18n.t('Tools Access')}
-				</div>
-				<Switch bind:state={permissions.workspace.tools} />
-			</Tooltip>
-		</div>
-	</div>
-
-	<hr class=" border-gray-100 dark:border-gray-850 my-2" />
-
-	<div>
-		<div class=" mb-2 text-sm font-medium">{$i18n.t('Sharing Permissions')}</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Models Public Sharing')}
-			</div>
-			<Switch bind:state={permissions.sharing.public_models} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Knowledge Public Sharing')}
-			</div>
-			<Switch bind:state={permissions.sharing.public_knowledge} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Prompts Public Sharing')}
-			</div>
-			<Switch bind:state={permissions.sharing.public_prompts} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Tools Public Sharing')}
-			</div>
-			<Switch bind:state={permissions.sharing.public_tools} />
-		</div>
-	</div>
-
-	<hr class=" border-gray-100 dark:border-gray-850 my-2" />
-
-	<div>
-		<div class=" mb-2 text-sm font-medium">{$i18n.t('Chat Permissions')}</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow File Upload')}
-			</div>
-
-			<Switch bind:state={permissions.chat.file_upload} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Chat Controls')}
-			</div>
-
-			<Switch bind:state={permissions.chat.controls} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Chat Delete')}
-			</div>
-
-			<Switch bind:state={permissions.chat.delete} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Chat Edit')}
-			</div>
-
-			<Switch bind:state={permissions.chat.edit} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Chat Share')}
-			</div>
-
-			<Switch bind:state={permissions.chat.share} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Chat Export')}
-			</div>
-
-			<Switch bind:state={permissions.chat.export} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Speech to Text')}
-			</div>
-
-			<Switch bind:state={permissions.chat.stt} />
-		</div>
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Text to Speech')}
-			</div>
-
-			<Switch bind:state={permissions.chat.tts} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Call')}
-			</div>
-
-			<Switch bind:state={permissions.chat.call} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Multiple Models in Chat')}
-			</div>
-
-			<Switch bind:state={permissions.chat.multiple_models} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Allow Temporary Chat')}
-			</div>
-
-			<Switch bind:state={permissions.chat.temporary} />
-		</div>
-
-		{#if permissions.chat.temporary}
-			<div class="  flex w-full justify-between my-2 pr-2">
-				<div class=" self-center text-xs font-medium">
-					{$i18n.t('Enforce Temporary Chat')}
-				</div>
-
-				<Switch bind:state={permissions.chat.temporary_enforced} />
-			</div>
-		{/if}
-	</div>
-
-	<hr class=" border-gray-100 dark:border-gray-850 my-2" />
-
-	<div>
-		<div class=" mb-2 text-sm font-medium">{$i18n.t('Features Permissions')}</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Direct Tool Servers')}
-			</div>
-
-			<Switch bind:state={permissions.features.direct_tool_servers} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Web Search')}
-			</div>
-
-			<Switch bind:state={permissions.features.web_search} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Image Generation')}
-			</div>
-
-			<Switch bind:state={permissions.features.image_generation} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Code Interpreter')}
-			</div>
-
-			<Switch bind:state={permissions.features.code_interpreter} />
-		</div>
-
-		<div class="  flex w-full justify-between my-2 pr-2">
-			<div class=" self-center text-xs font-medium">
-				{$i18n.t('Notes')}
-			</div>
-
-			<Switch bind:state={permissions.features.notes} />
-		</div>
-	</div>
-</div>
diff --git a/src/lib/components/admin/Users/PermissionList.svelte b/src/lib/components/admin/Users/PermissionList.svelte
new file mode 100644
index 00000000000..f2558c0d204
--- /dev/null
+++ b/src/lib/components/admin/Users/PermissionList.svelte
@@ -0,0 +1,231 @@
+<script>
+	import { onMount, getContext } from 'svelte';
+	import { toast } from 'svelte-sonner';
+
+	import Tooltip from '$lib/components/common/Tooltip.svelte';
+
+	import { getPermissions } from '$lib/apis/permissions';
+	import AddPermissionModal from '$lib/components/admin/Users/Permissions/AddPermissionModal.svelte';
+
+	import Plus from '$lib/components/icons/Plus.svelte';
+	import ChevronUp from '$lib/components/icons/ChevronUp.svelte';
+	import ChevronDown from '$lib/components/icons/ChevronDown.svelte';
+
+	const i18n = getContext('i18n');
+
+	export let permissions = [];
+
+	let search = '';
+	let page = 1;
+	let showAddPermissionModal = false;
+
+	let sortKey = 'id'; // default sort key
+	let sortOrder = 'asc'; // default sort order
+
+	function setSortKey(key) {
+		if (sortKey === key) {
+			sortOrder = sortOrder === 'asc' ? 'desc' : 'asc';
+		} else {
+			sortKey = key;
+			sortOrder = 'asc';
+		}
+	}
+
+	onMount(async () => {
+		permissions = await getPermissions(localStorage.token).catch((error) => {
+			toast.error(`${error}`);
+			return [];
+		});
+	});
+</script>
+
+<AddPermissionModal
+	bind:show={showAddPermissionModal}
+	on:save={async () => {
+		permissions = await getPermissions(localStorage.token);
+	}}
+/>
+
+<div class="mt-0.5 mb-2 gap-1 flex flex-col md:flex-row justify-between">
+	<div class="flex md:self-center text-lg font-medium px-0.5">
+		<div class="flex-shrink-0">
+			{$i18n.t('Permissions')}
+		</div>
+		<div class="flex self-center w-[1px] h-6 mx-2.5 bg-gray-50 dark:bg-gray-850" />
+	</div>
+
+	<div class="flex gap-1">
+		<div class=" flex w-full space-x-2">
+			<div>
+				<Tooltip content={$i18n.t('Add permission')}>
+					<button
+						class=" p-2 rounded-xl hover:bg-gray-100 dark:bg-gray-900 dark:hover:bg-gray-850 transition font-medium text-sm flex items-center space-x-1"
+						on:click={() => {
+							showAddPermissionModal = !showAddPermissionModal;
+						}}
+					>
+						<Plus className="size-3.5" />
+					</button>
+				</Tooltip>
+			</div>
+		</div>
+	</div>
+</div>
+
+<div
+	class="scrollbar-hidden relative whitespace-nowrap overflow-x-auto max-w-full rounded-sm pt-0.5"
+>
+	<table
+		class="w-full text-sm text-left text-gray-500 dark:text-gray-400 table-auto max-w-full rounded-sm"
+	>
+		<thead
+			class="text-xs text-gray-700 uppercase bg-gray-50 dark:bg-gray-850 dark:text-gray-400 -translate-y-0.5"
+		>
+			<tr class="">
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('id')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Identifier')}
+
+						{#if sortKey === 'id'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('category')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Category')}
+
+						{#if sortKey === 'category'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('name')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Name')}
+
+						{#if sortKey === 'name'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('label')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Label')}
+						{#if sortKey === 'label'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('description')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Description')}
+						{#if sortKey === 'description'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+			</tr>
+		</thead>
+
+		<tbody class="">
+			{#each permissions as perm}
+				<tr class="bg-white dark:bg-gray-900 dark:border-gray-850 text-xs">
+					<td class="px-3 py-1 min-w-[7rem] w-28">
+						<div class=" font-medium self-center">{perm.id}</div>
+					</td>
+					<td class="px-3 py-1 font-medium text-gray-900 dark:text-white w-max">
+						<div class="flex flex-row w-max">
+							<div class=" font-medium self-center">{perm.category}</div>
+						</div>
+					</td>
+					<td class="px-3 py-1 font-medium text-gray-900 dark:text-white w-max">
+						<div class="flex flex-row w-max">
+							<div class=" font-medium self-center">{perm.name}</div>
+						</div>
+					</td>
+					<td class="px-3 py-1 font-medium text-gray-900 dark:text-white w-max">
+						<div class="flex flex-row w-max">
+							<div class=" font-medium self-center">{perm.label}</div>
+						</div>
+					</td>
+					<td class="px-3 py-1 font-medium text-gray-900 dark:text-white w-max">
+						<div class="flex flex-row w-max">
+							<div class=" font-medium self-center">{perm.description}</div>
+						</div>
+					</td>
+				</tr>
+			{/each}
+		</tbody>
+	</table>
+</div>
diff --git a/src/lib/components/admin/Users/Permissions/AddPermissionModal.svelte b/src/lib/components/admin/Users/Permissions/AddPermissionModal.svelte
new file mode 100644
index 00000000000..0ee53eee4b5
--- /dev/null
+++ b/src/lib/components/admin/Users/Permissions/AddPermissionModal.svelte
@@ -0,0 +1,157 @@
+<script lang="ts">
+	import { toast } from 'svelte-sonner';
+	import { createEventDispatcher } from 'svelte';
+	import { onMount, getContext } from 'svelte';
+	import { addPermission } from '$lib/apis/permissions';
+
+	import { WEBUI_BASE_URL } from '$lib/constants';
+
+	import Modal from '$lib/components/common/Modal.svelte';
+
+	const i18n = getContext('i18n');
+	const dispatch = createEventDispatcher();
+
+	export let show = false;
+
+	let loading = false;
+
+	let _permission = {
+		category: '',
+		name: '',
+		label: '',
+		description: ''
+	};
+	const _categories = ['workspace', 'sharing', 'chat', 'features'];
+
+	const submitHandler = async () => {
+		const stopLoading = () => {
+			dispatch('save');
+			loading = false;
+		};
+
+		loading = true;
+		const res = await addPermission(
+			localStorage.token,
+			_permission.category,
+			_permission.name,
+			_permission.label,
+			_permission.description
+		).catch((error) => {
+			toast.error(`${error}`);
+		});
+
+		if (res) {
+			stopLoading();
+			show = false;
+		}
+
+		loading = false;
+	};
+</script>
+
+<Modal size="sm" bind:show>
+	<div>
+		<div class=" flex justify-between dark:text-gray-300 px-5 pt-4 pb-2">
+			<div class=" text-lg font-medium self-center">{$i18n.t('Add Permission')}</div>
+			<button
+				class="self-center"
+				on:click={() => {
+					show = false;
+				}}
+			>
+				<svg
+					xmlns="http://www.w3.org/2000/svg"
+					viewBox="0 0 20 20"
+					fill="currentColor"
+					class="w-5 h-5"
+				>
+					<path
+						d="M6.28 5.22a.75.75 0 00-1.06 1.06L8.94 10l-3.72 3.72a.75.75 0 101.06 1.06L10 11.06l3.72 3.72a.75.75 0 101.06-1.06L11.06 10l3.72-3.72a.75.75 0 00-1.06-1.06L10 8.94 6.28 5.22z"
+					/>
+				</svg>
+			</button>
+		</div>
+
+		<div class="flex flex-col md:flex-row w-full px-4 pb-3 md:space-x-4 dark:text-gray-200">
+			<div class=" flex flex-col w-full sm:flex-row sm:justify-center sm:space-x-6">
+				<form
+					class="flex flex-col w-full"
+					on:submit|preventDefault={() => {
+						submitHandler();
+					}}
+				>
+					<div class="flex flex-col w-full mt-1">
+						<div class="mb-1 text-xs text-gray-500">{$i18n.t('Category')}</div>
+						<div class="flex-1">
+							<select
+								class="w-full text-sm bg-transparent disabled:text-gray-500 dark:disabled:text-gray-500 outline-hidden"
+								bind:value={_permission.category}
+								required
+							>
+								{#each _categories as category}
+									<option value={category}>{category}</option>
+								{/each}
+							</select>
+						</div>
+					</div>
+
+					<div class="flex flex-col w-full mt-1">
+						<div class=" mb-1 text-xs text-gray-500">{$i18n.t('Name')}</div>
+
+						<div class="flex-1">
+							<input
+								class="w-full text-sm bg-transparent disabled:text-gray-500 dark:disabled:text-gray-500 outline-hidden"
+								type="text"
+								bind:value={_permission.name}
+								autocomplete="off"
+								required
+							/>
+						</div>
+					</div>
+
+					<div class="flex flex-col w-full mt-1">
+						<div class=" mb-1 text-xs text-gray-500">{$i18n.t('Label')}</div>
+
+						<div class="flex-1">
+							<input
+								class="w-full text-sm bg-transparent disabled:text-gray-500 dark:disabled:text-gray-500 outline-hidden"
+								type="text"
+								bind:value={_permission.label}
+								autocomplete="off"
+								required
+							/>
+						</div>
+					</div>
+
+					<div class="flex flex-col w-full mt-1">
+						<div class=" mb-1 text-xs text-gray-500">{$i18n.t('Description')}</div>
+
+						<div class="flex-1">
+							<input
+								class="w-full text-sm bg-transparent disabled:text-gray-500 dark:disabled:text-gray-500 outline-hidden"
+								type="text"
+								bind:value={_permission.description}
+								autocomplete="off"
+								required
+							/>
+						</div>
+					</div>
+
+					<hr class=" border-gray-100 dark:border-gray-850 my-2.5 w-full" />
+
+					<div class="flex justify-end pt-3 text-sm font-medium">
+						<button
+							class="px-3.5 py-1.5 text-sm font-medium bg-black hover:bg-gray-900 text-white dark:bg-white dark:text-black dark:hover:bg-gray-100 transition rounded-full flex flex-row space-x-1 items-center {loading
+								? ' cursor-not-allowed'
+								: ''}"
+							type="submit"
+							disabled={loading}
+						>
+							{$i18n.t('Save')}
+						</button>
+					</div>
+				</form>
+			</div>
+		</div>
+	</div>
+</Modal>
diff --git a/src/lib/components/admin/Users/RoleList.svelte b/src/lib/components/admin/Users/RoleList.svelte
new file mode 100644
index 00000000000..78209b6a9e1
--- /dev/null
+++ b/src/lib/components/admin/Users/RoleList.svelte
@@ -0,0 +1,287 @@
+<script>
+	import { onMount, getContext } from 'svelte';
+
+	import dayjs from 'dayjs';
+	import relativeTime from 'dayjs/plugin/relativeTime';
+	import localizedFormat from 'dayjs/plugin/localizedFormat';
+
+	dayjs.extend(relativeTime);
+	dayjs.extend(localizedFormat);
+
+	import { toast } from 'svelte-sonner';
+
+	import { getRoles, updateRole, deleteRole } from '$lib/apis/roles';
+
+	import Tooltip from '$lib/components/common/Tooltip.svelte';
+
+	import EditRoleModal from '$lib/components/admin/Users/Roles/EditRoleModal.svelte';
+	import AddRoleModal from '$lib/components/admin/Users/Roles/AddRoleModal.svelte';
+
+	import ConfirmDialog from '$lib/components/common/ConfirmDialog.svelte';
+	import Plus from '$lib/components/icons/Plus.svelte';
+	import ChevronUp from '$lib/components/icons/ChevronUp.svelte';
+	import ChevronDown from '$lib/components/icons/ChevronDown.svelte';
+
+	const i18n = getContext('i18n');
+
+	export let lockedRoles = ['pending', 'user', 'admin'];
+	export let roles = [];
+
+	let search = '';
+	let selectedRole = null;
+
+	let page = 1;
+
+	let showDeleteConfirmDialog = false;
+	let showAddRoleModal = false;
+	let showEditRoleModal = false;
+
+	const updateRoleHandler = async (id, role) => {
+		const res = await updateRole(localStorage.token, id, role).catch((error) => {
+			toast.error(`${error}`);
+			return null;
+		});
+
+		if (res) {
+			roles = await getRoles(localStorage.token);
+		}
+	};
+
+	const deleteRoleHandler = async (roleName) => {
+		const res = await deleteRole(localStorage.token, roleName).catch((error) => {
+			toast.error(`${error}`);
+			return null;
+		});
+		if (res) {
+			roles = await getRoles(localStorage.token);
+		}
+	};
+
+	let sortKey = 'created_at'; // default sort key
+	let sortOrder = 'asc'; // default sort order
+
+	function setSortKey(key) {
+		if (sortKey === key) {
+			sortOrder = sortOrder === 'asc' ? 'desc' : 'asc';
+		} else {
+			sortKey = key;
+			sortOrder = 'asc';
+		}
+	}
+
+	onMount(async () => {
+		roles = await getRoles(localStorage.token).catch((error) => {
+			toast.error(`${error}`);
+			return [];
+		});
+	});
+</script>
+
+<ConfirmDialog
+	bind:show={showDeleteConfirmDialog}
+	on:confirm={() => {
+		deleteRoleHandler(selectedRole.name);
+	}}
+/>
+
+{#key selectedRole}
+	<EditRoleModal
+		bind:show={showEditRoleModal}
+		{selectedRole}
+		on:save={async () => {
+			roles = await getRoles(localStorage.token);
+		}}
+	/>
+{/key}
+
+<AddRoleModal
+	bind:show={showAddRoleModal}
+	on:save={async () => {
+		roles = await getRoles(localStorage.token);
+	}}
+/>
+
+<div class="mt-0.5 mb-2 gap-1 flex flex-col md:flex-row justify-between">
+	<div class="flex md:self-center text-lg font-medium px-0.5">
+		<div class="flex-shrink-0">
+			{$i18n.t('Roles')}
+		</div>
+		<div class="flex self-center w-[1px] h-6 mx-2.5 bg-gray-50 dark:bg-gray-850" />
+	</div>
+
+	<div class="flex gap-1">
+		<div class=" flex w-full space-x-2">
+			<div>
+				<Tooltip content={$i18n.t('Add Role')}>
+					<button
+						class=" p-2 rounded-xl hover:bg-gray-100 dark:bg-gray-900 dark:hover:bg-gray-850 transition font-medium text-sm flex items-center space-x-1"
+						on:click={() => {
+							showAddRoleModal = !showAddRoleModal;
+						}}
+					>
+						<Plus className="size-3.5" />
+					</button>
+				</Tooltip>
+			</div>
+		</div>
+	</div>
+</div>
+
+<div
+	class="scrollbar-hidden relative whitespace-nowrap overflow-x-auto max-w-full rounded-sm pt-0.5"
+>
+	<table
+		class="w-full text-sm text-left text-gray-500 dark:text-gray-400 table-auto max-w-full rounded-sm"
+	>
+		<thead
+			class="text-xs text-gray-700 uppercase bg-gray-50 dark:bg-gray-850 dark:text-gray-400 -translate-y-0.5"
+		>
+			<tr class="">
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('role')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Identifier')}
+
+						{#if sortKey === 'role'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('name')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Name')}
+
+						{#if sortKey === 'name'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+				<th
+					scope="col"
+					class="px-3 py-1.5 cursor-pointer select-none"
+					on:click={() => setSortKey('created_at')}
+				>
+					<div class="flex gap-1.5 items-center">
+						{$i18n.t('Created at')}
+						{#if sortKey === 'created_at'}
+							<span class="font-normal"
+								>{#if sortOrder === 'asc'}
+									<ChevronUp className="size-2" />
+								{:else}
+									<ChevronDown className="size-2" />
+								{/if}
+							</span>
+						{:else}
+							<span class="invisible">
+								<ChevronUp className="size-2" />
+							</span>
+						{/if}
+					</div>
+				</th>
+				<th scope="col" class="px-3 py-2 text-right" />
+			</tr>
+		</thead>
+
+		<tbody class="">
+			{#each roles as role, roleIdx}
+				<tr class="bg-white dark:bg-gray-900 dark:border-gray-850 text-xs">
+					<td class="px-3 py-1 min-w-[7rem] w-28">
+						<div class=" font-medium self-center">{role.id}</div>
+					</td>
+					<td class="px-3 py-1 font-medium text-gray-900 dark:text-white w-max">
+						<div class="flex flex-row w-max">
+							<div class=" font-medium self-center">{role.name}</div>
+						</div>
+					</td>
+
+					<td class=" px-3 py-1">
+						{dayjs(role.created_at * 1000).format('LL')}
+					</td>
+
+					<td class="px-3 py-1 text-right">
+						<div class="flex justify-end w-full">
+							<Tooltip content={$i18n.t('Edit role')}>
+								<button
+									class="self-center w-fit text-sm px-2 py-2 hover:bg-black/5 dark:hover:bg-white/5 rounded-xl"
+									on:click={async () => {
+										showEditRoleModal = !showEditRoleModal;
+										selectedRole = role;
+									}}
+								>
+									<svg
+										xmlns="http://www.w3.org/2000/svg"
+										fill="none"
+										viewBox="0 0 24 24"
+										stroke-width="1.5"
+										stroke="currentColor"
+										class="w-4 h-4"
+									>
+										<path
+											stroke-linecap="round"
+											stroke-linejoin="round"
+											d="m16.862 4.487 1.687-1.688a1.875 1.875 0 1 1 2.652 2.652L6.832 19.82a4.5 4.5 0 0 1-1.897 1.13l-2.685.8.8-2.685a4.5 4.5 0 0 1 1.13-1.897L16.863 4.487Zm0 0L19.5 7.125"
+										/>
+									</svg>
+								</button>
+							</Tooltip>
+
+							{#if !lockedRoles.includes(role.name)}
+								<Tooltip content={$i18n.t('Delete role')}>
+									<button
+										class="self-center w-fit text-sm px-2 py-2 hover:bg-black/5 dark:hover:bg-white/5 rounded-xl"
+										on:click={async () => {
+											showDeleteConfirmDialog = true;
+											selectedRole = role;
+										}}
+									>
+										<svg
+											xmlns="http://www.w3.org/2000/svg"
+											fill="none"
+											viewBox="0 0 24 24"
+											stroke-width="1.5"
+											stroke="currentColor"
+											class="w-4 h-4"
+										>
+											<path
+												stroke-linecap="round"
+												stroke-linejoin="round"
+												d="m14.74 9-.346 9m-4.788 0L9.26 9m9.968-3.21c.342.052.682.107 1.022.166m-1.022-.165L18.16 19.673a2.25 2.25 0 0 1-2.244 2.077H8.084a2.25 2.25 0 0 1-2.244-2.077L4.772 5.79m14.456 0a48.108 48.108 0 0 0-3.478-.397m-12 .562c.34-.059.68-.114 1.022-.165m0 0a48.11 48.11 0 0 1 3.478-.397m7.5 0v-.916c0-1.18-.91-2.164-2.09-2.201a51.964 51.964 0 0 0-3.32 0c-1.18.037-2.09 1.022-2.09 2.201v.916m7.5 0a48.667 48.667 0 0 0-7.5 0"
+											/>
+										</svg>
+									</button>
+								</Tooltip>
+							{/if}
+						</div>
+					</td>
+				</tr>
+			{/each}
+		</tbody>
+	</table>
+</div>
diff --git a/src/lib/components/admin/Users/Roles/AddRoleModal.svelte b/src/lib/components/admin/Users/Roles/AddRoleModal.svelte
new file mode 100644
index 00000000000..79843dce0d1
--- /dev/null
+++ b/src/lib/components/admin/Users/Roles/AddRoleModal.svelte
@@ -0,0 +1,112 @@
+<script lang="ts">
+	import { toast } from 'svelte-sonner';
+	import { createEventDispatcher } from 'svelte';
+	import { onMount, getContext } from 'svelte';
+	import { addRole } from '$lib/apis/roles';
+
+	import { WEBUI_BASE_URL } from '$lib/constants';
+
+	import Modal from '$lib/components/common/Modal.svelte';
+
+	const i18n = getContext('i18n');
+	const dispatch = createEventDispatcher();
+
+	export let show = false;
+
+	let loading = false;
+
+	let _role = {
+		name: ''
+	};
+
+	$: if (show) {
+		_role = {
+			name: ''
+		};
+	}
+
+	const submitHandler = async () => {
+		const stopLoading = () => {
+			dispatch('save');
+			loading = false;
+		};
+
+		loading = true;
+
+		const res = await addRole(localStorage.token, _role.name).catch((error) => {
+			toast.error(`${error}`);
+		});
+
+		if (res) {
+			stopLoading();
+			show = false;
+		}
+
+		loading = false;
+	};
+</script>
+
+<Modal size="sm" bind:show>
+	<div>
+		<div class=" flex justify-between dark:text-gray-300 px-5 pt-4 pb-2">
+			<div class=" text-lg font-medium self-center">{$i18n.t('Add Role')}</div>
+			<button
+				class="self-center"
+				on:click={() => {
+					show = false;
+				}}
+			>
+				<svg
+					xmlns="http://www.w3.org/2000/svg"
+					viewBox="0 0 20 20"
+					fill="currentColor"
+					class="w-5 h-5"
+				>
+					<path
+						d="M6.28 5.22a.75.75 0 00-1.06 1.06L8.94 10l-3.72 3.72a.75.75 0 101.06 1.06L10 11.06l3.72 3.72a.75.75 0 101.06-1.06L11.06 10l3.72-3.72a.75.75 0 00-1.06-1.06L10 8.94 6.28 5.22z"
+					/>
+				</svg>
+			</button>
+		</div>
+
+		<div class="flex flex-col md:flex-row w-full px-4 pb-3 md:space-x-4 dark:text-gray-200">
+			<div class=" flex flex-col w-full sm:flex-row sm:justify-center sm:space-x-6">
+				<form
+					class="flex flex-col w-full"
+					on:submit|preventDefault={() => {
+						submitHandler();
+					}}
+				>
+					<div class="flex flex-col w-full mt-1">
+						<div class=" mb-1 text-xs text-gray-500">{$i18n.t('Name')}</div>
+
+						<div class="flex-1">
+							<input
+								class="w-full text-sm bg-transparent disabled:text-gray-500 dark:disabled:text-gray-500 outline-hidden"
+								type="text"
+								bind:value={_role.name}
+								placeholder={$i18n.t('Role name, should be lower case and without spaces')}
+								autocomplete="off"
+								required
+							/>
+						</div>
+					</div>
+
+					<hr class=" border-gray-100 dark:border-gray-850 my-2.5 w-full" />
+
+					<div class="flex justify-end pt-3 text-sm font-medium">
+						<button
+							class="px-3.5 py-1.5 text-sm font-medium bg-black hover:bg-gray-900 text-white dark:bg-white dark:text-black dark:hover:bg-gray-100 transition rounded-full flex flex-row space-x-1 items-center {loading
+								? ' cursor-not-allowed'
+								: ''}"
+							type="submit"
+							disabled={loading}
+						>
+							{$i18n.t('Save')}
+						</button>
+					</div>
+				</form>
+			</div>
+		</div>
+	</div>
+</Modal>
diff --git a/src/lib/components/admin/Users/Roles/EditRoleModal.svelte b/src/lib/components/admin/Users/Roles/EditRoleModal.svelte
new file mode 100644
index 00000000000..6b302fa203b
--- /dev/null
+++ b/src/lib/components/admin/Users/Roles/EditRoleModal.svelte
@@ -0,0 +1,199 @@
+<script lang="ts">
+	import { toast } from 'svelte-sonner';
+	import dayjs from 'dayjs';
+	import { createEventDispatcher } from 'svelte';
+	import { onMount, getContext } from 'svelte';
+
+	import { updateRole, getRolePermissions, linkRoleToPermissions } from '$lib/apis/roles';
+	import { getUserDefaultPermissions } from '$lib/apis/users';
+
+	import Modal from '$lib/components/common/Modal.svelte';
+	import localizedFormat from 'dayjs/plugin/localizedFormat';
+	import Permissions from '$lib/components/common/Permissions.svelte';
+	import WrenchSolid from '$lib/components/icons/WrenchSolid.svelte';
+	import Plus from '$lib/components/icons/Plus.svelte';
+
+	const i18n = getContext('i18n');
+	const dispatch = createEventDispatcher();
+	dayjs.extend(localizedFormat);
+
+	export let show = false;
+	export let selectedRole;
+	export let tabs = ['general', 'permissions'];
+	export let lockedRoles = ['pending', 'user', 'admin'];
+
+	let selectedTab = 'general';
+	let defaultPermissions = {};
+	let permissions = {};
+	let _role = {
+		id: '',
+		name: ''
+	};
+
+	const submitHandler = async () => {
+		const res = await updateRole(localStorage.token, selectedRole.id, _role.name).catch((error) => {
+			toast.error(`${error}`);
+		});
+
+		if (res) {
+			// Loop through permissions and link them to the role
+			for (const [categoryName, category] of Object.entries(permissions)) {
+				for (const [permissionName, value] of Object.entries(category)) {
+					await linkRoleToPermissions(
+						localStorage.token,
+						_role.name,
+						categoryName,
+						permissionName,
+						value
+					).catch((error) => {
+						toast.error(`Failed to link permission ${permissionName}: ${error}`);
+					});
+				}
+			}
+
+			dispatch('save');
+			show = false;
+		}
+	};
+
+	onMount(async () => {
+		if (selectedRole) {
+			_role = selectedRole;
+
+			defaultPermissions = await getUserDefaultPermissions(localStorage.token).catch((error) => {
+				toast.error(`${error}`);
+				return [];
+			});
+
+			permissions = await getRolePermissions(localStorage.token, _role.name).catch((error) => {
+				toast.error(`${error}`);
+				return [];
+			});
+		}
+	});
+</script>
+
+<Modal size="md" bind:show>
+	<div>
+		<div class=" flex justify-between dark:text-gray-300 px-5 py-4">
+			<div class=" text-lg font-medium self-center">{$i18n.t('Edit Role')}</div>
+			<button
+				class="self-center"
+				on:click={() => {
+					show = false;
+				}}
+			>
+				<svg
+					xmlns="http://www.w3.org/2000/svg"
+					viewBox="0 0 20 20"
+					fill="currentColor"
+					class="w-5 h-5"
+				>
+					<path
+						d="M6.28 5.22a.75.75 0 00-1.06 1.06L8.94 10l-3.72 3.72a.75.75 0 101.06 1.06L10 11.06l3.72 3.72a.75.75 0 101.06-1.06L11.06 10l3.72-3.72a.75.75 0 00-1.06-1.06L10 8.94 6.28 5.22z"
+					/>
+				</svg>
+			</button>
+		</div>
+		<hr class="border-gray-100 dark:border-gray-850" />
+
+		<div class="flex flex-col md:flex-row w-full px-4 pb-4 md:space-x-4 dark:text-gray-200">
+			<div class=" flex flex-col w-full sm:flex-row sm:justify-center sm:space-x-6">
+				<form
+					class="flex flex-col w-full"
+					on:submit={(e) => {
+						e.preventDefault();
+						submitHandler();
+					}}
+				>
+					<div class="flex flex-col lg:flex-row w-full h-full pb-2 lg:space-x-4">
+						<div
+							id="admin-settings-tabs-container"
+							class="tabs flex flex-row overflow-x-auto gap-2.5 max-w-full lg:gap-1 lg:flex-col lg:flex-none lg:w-40 dark:text-gray-200 text-sm font-medium text-left scrollbar-none"
+						>
+							{#if tabs.includes('general')}
+								<button
+									class="px-0.5 py-1 max-w-fit w-fit rounded-lg flex-1 lg:flex-none flex text-right transition {selectedTab ===
+									'general'
+										? ''
+										: ' text-gray-300 dark:text-gray-600 hover:text-gray-700 dark:hover:text-white'}"
+									on:click={() => {
+										selectedTab = 'general';
+									}}
+									type="button"
+								>
+									<div class=" self-center mr-2">
+										<svg
+											xmlns="http://www.w3.org/2000/svg"
+											viewBox="0 0 16 16"
+											fill="currentColor"
+											class="w-4 h-4"
+										>
+											<path
+												fill-rule="evenodd"
+												d="M6.955 1.45A.5.5 0 0 1 7.452 1h1.096a.5.5 0 0 1 .497.45l.17 1.699c.484.12.94.312 1.356.562l1.321-1.081a.5.5 0 0 1 .67.033l.774.775a.5.5 0 0 1 .034.67l-1.08 1.32c.25.417.44.873.561 1.357l1.699.17a.5.5 0 0 1 .45.497v1.096a.5.5 0 0 1-.45.497l-1.699.17c-.12.484-.312.94-.562 1.356l1.082 1.322a.5.5 0 0 1-.034.67l-.774.774a.5.5 0 0 1-.67.033l-1.322-1.08c-.416.25-.872.44-1.356.561l-.17 1.699a.5.5 0 0 1-.497.45H7.452a.5.5 0 0 1-.497-.45l-.17-1.699a4.973 4.973 0 0 1-1.356-.562L4.108 13.37a.5.5 0 0 1-.67-.033l-.774-.775a.5.5 0 0 1-.034-.67l1.08-1.32a4.971 4.971 0 0 1-.561-1.357l-1.699-.17A.5.5 0 0 1 1 8.548V7.452a.5.5 0 0 1 .45-.497l1.699-.17c.12-.484.312-.94.562-1.356L2.629 4.107a.5.5 0 0 1 .034-.67l.774-.774a.5.5 0 0 1 .67-.033L5.43 3.71a4.97 4.97 0 0 1 1.356-.561l.17-1.699ZM6 8c0 .538.212 1.026.558 1.385l.057.057a2 2 0 0 0 2.828-2.828l-.058-.056A2 2 0 0 0 6 8Z"
+												clip-rule="evenodd"
+											/>
+										</svg>
+									</div>
+									<div class=" self-center">{$i18n.t('General')}</div>
+								</button>
+							{/if}
+
+							{#if tabs.includes('permissions')}
+								<button
+									class="px-0.5 py-1 max-w-fit w-fit rounded-lg flex-1 lg:flex-none flex text-right transition {selectedTab ===
+									'permissions'
+										? ''
+										: ' text-gray-300 dark:text-gray-600 hover:text-gray-700 dark:hover:text-white'}"
+									on:click={() => {
+										selectedTab = 'permissions';
+									}}
+									type="button"
+								>
+									<div class=" self-center mr-2">
+										<WrenchSolid />
+									</div>
+									<div class="self-center">{$i18n.t('Permissions')}</div>
+								</button>
+							{/if}
+						</div>
+
+						<div
+							class="flex-1 mt-1 lg:mt-1 lg:h-[22rem] lg:max-h-[22rem] overflow-y-auto scrollbar-hidden"
+						>
+							{#if selectedTab === 'general'}
+								<div class="flex flex-col w-full mt-1">
+									<div class=" mb-1 text-xs text-gray-500">{$i18n.t('Name')}</div>
+
+									<div class="flex-1">
+										<input
+											class="w-full text-sm bg-transparent disabled:text-gray-500 dark:disabled:text-gray-500 outline-hidden"
+											type="text"
+											bind:value={_role.name}
+											placeholder={$i18n.t('Role name, should be lower case and without spaces')}
+											autocomplete="off"
+											required
+											disabled={lockedRoles.includes(_role.name) ? 'disabled' : ''}
+										/>
+									</div>
+								</div>
+							{:else if selectedTab === 'permissions'}
+								<Permissions bind:permissions bind:defaultPermissions />
+							{/if}
+						</div>
+					</div>
+
+					<div class="flex justify-end pt-3 text-sm font-medium">
+						<button
+							class="px-3.5 py-1.5 text-sm font-medium bg-black hover:bg-gray-900 text-white dark:bg-white dark:text-black dark:hover:bg-gray-100 transition rounded-full flex flex-row space-x-1 items-center"
+							type="submit"
+						>
+							{$i18n.t('Save')}
+						</button>
+					</div>
+				</form>
+			</div>
+		</div>
+	</div>
+</Modal>
diff --git a/src/lib/components/admin/Users/UserList.svelte b/src/lib/components/admin/Users/UserList.svelte
index 61816780ba5..80851a72ac1 100644
--- a/src/lib/components/admin/Users/UserList.svelte
+++ b/src/lib/components/admin/Users/UserList.svelte
@@ -21,6 +21,7 @@
 	import EditUserModal from '$lib/components/admin/Users/UserList/EditUserModal.svelte';
 	import UserChatsModal from '$lib/components/admin/Users/UserList/UserChatsModal.svelte';
 	import AddUserModal from '$lib/components/admin/Users/UserList/AddUserModal.svelte';
+	import { getRoles } from '$lib/apis/roles';
 
 	import ConfirmDialog from '$lib/components/common/ConfirmDialog.svelte';
 	import RoleUpdateConfirmDialog from '$lib/components/common/ConfirmDialog.svelte';
@@ -54,15 +55,20 @@
 	let showEditUserModal = false;
 	let showUpdateRoleModal = false;
 
+	const getNextRole = (currentRole) => {
+		// Find the current role index
+		const currentRoleIndex = roles.findIndex((r) => r.name === selectedUser.role);
+		// Get the next role index (loop back to 0 if at end)
+		const nextRoleIndex = (currentRoleIndex + 1) % roles.length;
+
+		return roles[nextRoleIndex];
+	};
+
 	const onUpdateRole = (user) => {
-		if (user.role === 'user') {
-			updateRoleHandler(user.id, 'admin');
-		} else if (user.role === 'pending') {
-			updateRoleHandler(user.id, 'user');
-		} else {
-			updateRoleHandler(user.id, 'pending');
-		}
+		const role = getNextRole(user.role);
+		updateRoleHandler(user.id, role.name);
 	};
+
 	const updateRoleHandler = async (id, role) => {
 		const res = await updateUserRole(localStorage.token, id, role).catch((error) => {
 			toast.error(`${error}`);
@@ -124,6 +130,14 @@
 	$: if (query !== null && orderBy && direction) {
 		getUserList();
 	}
+
+	let roles = [];
+	onMount(async () => {
+		roles = await getRoles(localStorage.token).catch((error) => {
+			toast.error(`${error}`);
+			return [];
+		});
+	});
 </script>
 
 <ConfirmDialog
@@ -133,20 +147,18 @@
 	}}
 />
 
-<RoleUpdateConfirmDialog
-	bind:show={showUpdateRoleModal}
-	on:confirm={() => {
-		onUpdateRole(selectedUser);
-	}}
-	message={$i18n.t(`Are you sure you want to update this user\'s role to **{{ROLE}}**?`, {
-		ROLE:
-			selectedUser?.role === 'user'
-				? 'admin'
-				: selectedUser?.role === 'pending'
-					? 'user'
-					: 'pending'
-	})}
-/>
+
+{#key selectedUser}
+	<RoleUpdateConfirmDialog
+		bind:show={showUpdateRoleModal}
+		on:confirm={() => {
+			onUpdateRole(selectedUser);
+		}}
+		message={$i18n.t(`Are you sure you want to update this user\'s role to **{{ROLE}}**?`, {
+			ROLE: selectedUser?.role ? getNextRole(selectedUser.role).name : ''
+		})}
+	/>
+{/key}
 
 {#key selectedUser}
 	<EditUserModal
diff --git a/src/lib/components/admin/Users/UserList/AddUserModal.svelte b/src/lib/components/admin/Users/UserList/AddUserModal.svelte
index cad799eb546..1a4fcf5399e 100644
--- a/src/lib/components/admin/Users/UserList/AddUserModal.svelte
+++ b/src/lib/components/admin/Users/UserList/AddUserModal.svelte
@@ -3,6 +3,7 @@
 	import { createEventDispatcher } from 'svelte';
 	import { onMount, getContext } from 'svelte';
 	import { addUser } from '$lib/apis/auths';
+	import { getRoles } from '$lib/apis/roles';
 
 	import { WEBUI_BASE_URL } from '$lib/constants';
 
@@ -34,6 +35,14 @@
 		};
 	}
 
+	let roles = [];
+	onMount(async () => {
+		roles = await getRoles(localStorage.token).catch((error) => {
+			toast.error(`${error}`);
+			return [];
+		});
+	});
+
 	const submitHandler = async () => {
 		const stopLoading = () => {
 			dispatch('save');
@@ -78,7 +87,7 @@
 						if (idx > 0) {
 							if (
 								columns.length === 4 &&
-								['admin', 'user', 'pending'].includes(columns[3].toLowerCase())
+								roles.map((role) => role.name).includes(columns[3].toLowerCase())
 							) {
 								const res = await addUser(
 									localStorage.token,
@@ -189,9 +198,9 @@
 										placeholder={$i18n.t('Enter Your Role')}
 										required
 									>
-										<option value="pending"> {$i18n.t('pending')} </option>
-										<option value="user"> {$i18n.t('user')} </option>
-										<option value="admin"> {$i18n.t('admin')} </option>
+										{#each roles as role}
+											<option value={role.name}>{$i18n.t(role.name)}</option>
+										{/each}
 									</select>
 								</div>
 							</div>
diff --git a/src/lib/components/common/Permissions.svelte b/src/lib/components/common/Permissions.svelte
new file mode 100644
index 00000000000..d717ed40a70
--- /dev/null
+++ b/src/lib/components/common/Permissions.svelte
@@ -0,0 +1,91 @@
+<script lang="ts">
+	import { getContext, onMount } from 'svelte';
+	import { getPermissions } from '$lib/apis/permissions';
+
+	const i18n = getContext('i18n');
+
+	import Switch from '$lib/components/common/Switch.svelte';
+	import { toast } from 'svelte-sonner';
+
+	export let defaultPermissions = {};
+	export let permissions = {};
+
+	let allPermissions = [];
+	let loading = true;
+
+	// Reactive statement to ensure all fields are present in `permissions`
+	$: {
+		permissions = fillMissingProperties(permissions, defaultPermissions);
+	}
+
+	function fillMissingProperties(obj: any, defaults: any) {
+		return {
+			...defaults,
+			...obj,
+			workspace: { ...defaults.workspace, ...obj.workspace },
+			sharing: { ...defaults.sharing, ...obj.sharing },
+			chat: { ...defaults.chat, ...obj.chat },
+			features: { ...defaults.features, ...obj.features }
+		};
+	}
+
+	function formatPermissionName(key: string): string {
+		// Find a permission with a matching name in allPermissions
+		const permission = Array.isArray(allPermissions) && allPermissions.find((p) => p.name === key);
+
+		// Return the label
+		return permission.label;
+	}
+
+	function formatPermissionCategory(key: string): string {
+		return key.charAt(0).toUpperCase() + key.slice(1) + ' Permissions';
+	}
+
+	onMount(async () => {
+		permissions = fillMissingProperties(permissions, defaultPermissions);
+
+		try {
+			const result = await getPermissions(localStorage.token);
+			if (Array.isArray(result) && result.length > 0) {
+				allPermissions = result;
+			} else {
+				console.error('getPermissions returned empty or invalid data', result);
+				toast.error('Failed to load permission data');
+			}
+		} catch (error) {
+			console.error('Error loading permissions:', error);
+			toast.error(`Failed to load permissions: ${error}`);
+		} finally {
+			loading = false;
+		}
+	});
+</script>
+
+<div>
+	{#if loading}
+		<div class="flex justify-center py-4">
+			<span class="text-sm">Loading permissions...</span>
+		</div>
+	{:else}
+		{#each Object.entries(permissions) as [categoryName, category], index}
+			{#if index !== 0}
+				<hr class=" border-gray-100 dark:border-gray-850 my-2" />
+			{/if}
+			<div>
+				<div class=" mb-2 text-sm font-medium">
+					{$i18n.t(formatPermissionCategory(categoryName))}
+				</div>
+
+				{#each Object.entries(category) as [key, value]}
+					<div class="flex w-full justify-between my-2 pr-2">
+						<div class="self-center text-xs font-medium">
+							{$i18n.t(formatPermissionName(key))}
+						</div>
+
+						<Switch bind:state={permissions[categoryName][key]} />
+					</div>
+				{/each}
+			</div>
+		{/each}
+	{/if}
+</div>
diff --git a/vite.config.ts b/vite.config.ts
index ed690f5023b..0629094e8da 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -35,7 +35,8 @@ export default defineConfig({
 		APP_BUILD_HASH: JSON.stringify(process.env.APP_BUILD_HASH || 'dev-build')
 	},
 	build: {
-		sourcemap: true
+		sourcemap: true,
+		cache: true
 	},
 	worker: {
 		format: 'es'