docs/channels/access-groups.md
Access groups are named sender lists you define once under accessGroups and reference from channel allowlists with accessGroup:<name>.
Use them when the same people should be allowed across several message channels, or when one trusted set should apply to both DMs and group sender authorization.
A group grants nothing by itself. It only matters where an allowlist field references it.
Static sender groups use type: "message.senders". members is keyed by message-channel id, plus "*" for entries shared by every channel:
{
accessGroups: {
operators: {
type: "message.senders",
members: {
"*": ["global-owner-id"],
discord: ["discord:123456789012345678"],
telegram: ["987654321"],
whatsapp: ["+15551234567"],
},
},
},
}
| Key | Meaning |
|---|---|
"*" | Shared entries checked for every message channel that references the group. |
discord, telegram, ... | Entries checked only for that channel's allowlist matching. |
Entries are matched with the destination channel's normal allowFrom rules. OpenClaw does not translate sender ids between channels: if Alice has a Telegram id and a Discord id, list both ids under the matching channel keys.
Reference a group with accessGroup:<name> anywhere the message channel path supports sender allowlists.
DM allowlist example:
{
accessGroups: {
operators: {
type: "message.senders",
members: {
discord: ["discord:123456789012345678"],
telegram: ["987654321"],
},
},
},
channels: {
discord: {
dmPolicy: "allowlist",
allowFrom: ["accessGroup:operators"],
},
telegram: {
dmPolicy: "allowlist",
allowFrom: ["accessGroup:operators"],
},
},
}
Group sender allowlist example:
{
accessGroups: {
oncall: {
type: "message.senders",
members: {
whatsapp: ["+15551234567"],
googlechat: ["users/1234567890"],
},
},
},
channels: {
whatsapp: {
groupPolicy: "allowlist",
groupAllowFrom: ["accessGroup:oncall"],
},
googlechat: {
groups: {
"spaces/AAA": {
users: ["accessGroup:oncall"],
},
},
},
},
}
You can mix groups and direct entries:
{
channels: {
discord: {
dmPolicy: "allowlist",
allowFrom: ["accessGroup:operators", "discord:123456789012345678"],
},
},
}
Access groups work in the shared message-channel authorization paths:
channels.<channel>.allowFromchannels.<channel>.groupAllowFromgroups.<space>.users)Channel support depends on whether that channel is wired through the shared OpenClaw sender-authorization helpers. Current bundled support includes ClickClack, Discord, Feishu, Google Chat, iMessage, IRC, LINE, Mattermost, Microsoft Teams, Nextcloud Talk, Nostr, QQ Bot, Signal, Slack, SMS, Telegram, WhatsApp, Zalo, and Zalo Personal. Static message.senders groups are channel-agnostic, so new message channels get them by using the shared plugin SDK ingress helpers instead of custom allowlist expansion.
Discord also supports a dynamic access group type:
{
accessGroups: {
maintainers: {
type: "discord.channelAudience",
guildId: "1456350064065904867",
channelId: "1456744319972282449",
membership: "canViewChannel",
},
},
channels: {
discord: {
dmPolicy: "allowlist",
allowFrom: ["accessGroup:maintainers"],
},
},
}
discord.channelAudience means "allow Discord DM senders who can currently view this guild channel." OpenClaw resolves the sender through Discord at authorization time and applies Discord ViewChannel permission rules. membership is optional and defaults to canViewChannel.
Use this when a Discord channel is already the source of truth for a team, such as #maintainers or #on-call.
Requirements and failure behavior:
Missing Access, the sender cannot be resolved as a guild member, or the channel belongs to another guild.More Discord-specific examples: Discord access control
Plugin authors can inspect structured access-group state without expanding it back into a flat allowlist:
import { resolveAccessGroupAllowFromState } from "openclaw/plugin-sdk/access-groups";
const state = await resolveAccessGroupAllowFromState({
accessGroups: cfg.accessGroups,
allowFrom: channelConfig.allowFrom,
channel: "my-channel",
accountId: "default",
senderId,
isSenderAllowed,
});
The result reports referenced, matched, missing, unsupported, and failed groups. Use it for diagnostics or conformance tests. Use expandAllowFromWithAccessGroups(...) only for compatibility paths that still expect a flat allowFrom array.
dmPolicy: "open" still requires "*" in the effective DM allowlist. Referencing an access group is not the same as public access.allowFrom contains accessGroup:operators and accessGroups.operators is absent, that entry authorizes nobody.If a sender should match but is blocked:
accessGroup:<name> reference.accessGroups.<name>.type is correct."*".Run openclaw doctor after editing access-control config. It catches many invalid allowlist and policy combinations before runtime.