























@@ -0,0 +1,182 @@
1+---
2+summary: "Reusable sender allowlists for message channels"
3+read_when:
4+ - Configuring the same allowlist across multiple message channels
5+ - Sharing DM and group sender access rules
6+ - Reviewing message-channel access control
7+title: "Access groups"
8+---
9+10+Access groups are named sender lists you define once and reference from channel allowlists with `accessGroup:<name>`.
11+12+Use them when the same people should be allowed across several message channels, or when one trusted set should apply to both DMs and group sender authorization.
13+14+Access groups do not grant access by themselves. A group only matters when an allowlist field references it.
15+16+## Static message sender groups
17+18+Static sender groups use `type: "message.senders"`.
19+20+```json5
21+{
22+ accessGroups: {
23+ operators: {
24+ type: "message.senders",
25+ members: {
26+"*": ["global-owner-id"],
27+ discord: ["discord:123456789012345678"],
28+ telegram: ["987654321"],
29+ whatsapp: ["+15551234567"],
30+ },
31+ },
32+ },
33+}
34+```
35+36+Member lists are keyed by message-channel id:
37+38+| Key | Meaning |
39+| ---------- | ----------------------------------------------------------------------- |
40+| `"*"` | Shared entries checked for every message channel that references group. |
41+| `discord` | Entries checked only for Discord allowlist matching. |
42+| `telegram` | Entries checked only for Telegram allowlist matching. |
43+| `whatsapp` | Entries checked only for WhatsApp allowlist matching. |
44+45+Entries are matched with the destination channel's normal `allowFrom` rules. OpenClaw does not translate sender ids between channels. If Alice has a Telegram id and a Discord id, list both ids under the appropriate keys.
46+47+## Reference groups from allowlists
48+49+Reference a group with `accessGroup:<name>` anywhere the message channel path supports sender allowlists.
50+51+DM allowlist example:
52+53+```json5
54+{
55+ accessGroups: {
56+ operators: {
57+ type: "message.senders",
58+ members: {
59+ discord: ["discord:123456789012345678"],
60+ telegram: ["987654321"],
61+ },
62+ },
63+ },
64+ channels: {
65+ discord: {
66+ dmPolicy: "allowlist",
67+ allowFrom: ["accessGroup:operators"],
68+ },
69+ telegram: {
70+ dmPolicy: "allowlist",
71+ allowFrom: ["accessGroup:operators"],
72+ },
73+ },
74+}
75+```
76+77+Group sender allowlist example:
78+79+```json5
80+{
81+ accessGroups: {
82+ oncall: {
83+ type: "message.senders",
84+ members: {
85+ whatsapp: ["+15551234567"],
86+ googlechat: ["users/1234567890"],
87+ },
88+ },
89+ },
90+ channels: {
91+ whatsapp: {
92+ groupPolicy: "allowlist",
93+ groupAllowFrom: ["accessGroup:oncall"],
94+ },
95+ googlechat: {
96+ spaces: {
97+"spaces/AAA": {
98+ users: ["accessGroup:oncall"],
99+ },
100+ },
101+ },
102+ },
103+}
104+```
105+106+You can mix groups and direct entries:
107+108+```json5
109+{
110+ channels: {
111+ discord: {
112+ dmPolicy: "allowlist",
113+ allowFrom: ["accessGroup:operators", "discord:123456789012345678"],
114+ },
115+ },
116+}
117+```
118+119+## Supported message-channel paths
120+121+Access groups are available in shared message-channel authorization paths, including:
122+123+- DM sender allowlists such as `channels.<channel>.allowFrom`
124+- group sender allowlists such as `channels.<channel>.groupAllowFrom`
125+- channel-specific per-room sender allowlists that use the same sender matching rules
126+- command authorization paths that reuse message-channel sender allowlists
127+128+Channel support depends on whether that channel is wired through the shared OpenClaw sender-authorization helpers. Current bundled support includes Discord, Google Chat, Nostr, WhatsApp, Zalo, and Zalo Personal. Static `message.senders` groups are designed to be channel-agnostic, so new message channels should support them by using the shared plugin SDK helpers instead of custom allowlist expansion.
129+130+## Discord channel audiences
131+132+Discord also supports a dynamic access group type:
133+134+```json5
135+{
136+ accessGroups: {
137+ maintainers: {
138+ type: "discord.channelAudience",
139+ guildId: "1456350064065904867",
140+ channelId: "1456744319972282449",
141+ membership: "canViewChannel",
142+ },
143+ },
144+ channels: {
145+ discord: {
146+ dmPolicy: "allowlist",
147+ allowFrom: ["accessGroup:maintainers"],
148+ },
149+ },
150+}
151+```
152+153+`discord.channelAudience` means "allow Discord DM senders who can currently view this guild channel." OpenClaw resolves the sender through Discord at authorization time and applies Discord `ViewChannel` permission rules.
154+155+Use this when a Discord channel is already the source of truth for a team, such as `#maintainers` or `#on-call`.
156+157+Requirements and failure behavior:
158+159+- The bot needs access to the guild and channel.
160+- The bot needs the Discord Developer Portal **Server Members Intent**.
161+- The access group fails closed when Discord returns `Missing Access`, the sender cannot be resolved as a guild member, or the channel belongs to another guild.
162+163+More Discord-specific examples: [Discord access control](/channels/discord#access-control-and-routing)
164+165+## Security notes
166+167+- Access groups are allowlist aliases, not roles. They do not create owners, approve pairing requests, or grant tool permissions by themselves.
168+- `dmPolicy: "open"` still requires `"*"` in the effective DM allowlist. Referencing an access group is not the same as public access.
169+- Missing group names fail closed. If `allowFrom` contains `accessGroup:operators` and `accessGroups.operators` is absent, that entry authorizes nobody.
170+- Keep channel ids stable. Prefer numeric/user ids over display names when the channel supports both.
171+172+## Troubleshooting
173+174+If a sender should match but is blocked:
175+176+1. Confirm the allowlist field contains the exact `accessGroup:<name>` reference.
177+2. Confirm `accessGroups.<name>.type` is correct.
178+3. Confirm the sender id is listed under the matching channel key, or under `"*"`.
179+4. Confirm the entry uses that channel's normal allowlist syntax.
180+5. For Discord channel audiences, confirm the bot can see the guild channel and has Server Members Intent enabled.
181+182+Run `openclaw doctor` after editing access-control config. It catches many invalid allowlist and policy combinations before runtime.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。