diff --git a/weed/admin/README.md b/weed/admin/README.md
index a97515b01..d6777a4f1 100644
--- a/weed/admin/README.md
+++ b/weed/admin/README.md
@@ -172,7 +172,7 @@ redirect_url = "https://admin.example.com/login/oidc/callback"
 scopes = ["openid", "profile", "email"]
 
 [admin.oidc.role_mapping]
-default_role = "admin"
+default_role = "readonly"
 
 [[admin.oidc.role_mapping.rules]]
 claim = "groups"
@@ -180,7 +180,7 @@ value = "seaweedfs-admin"
 role = "admin"
 ```
 
-Role mapping must resolve to `admin`.
+Role mapping must resolve to either `admin` or `readonly`.
 OIDC sessions are capped to the ID token expiration time.
 
 ### Docker Usage
diff --git a/weed/command/scaffold/security.toml b/weed/command/scaffold/security.toml
index 07c4f7341..32681637b 100644
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -180,13 +180,18 @@ tls_ca_cert = ""                  # optional absolute path for custom CA bundle
 tls_insecure_skip_verify = false  # testing only; do not use in production
 
 [admin.oidc.role_mapping]
-default_role = "admin"
+default_role = "readonly"
 
 [[admin.oidc.role_mapping.rules]]
 claim = "groups"
 value = "seaweedfs-admin"
 role = "admin"
 
+[[admin.oidc.role_mapping.rules]]
+claim = "groups"
+value = "seaweedfs-readonly"
+role = "readonly"
+
 # white list. It's checking request ip address.
 [guard]
 white_list = ""