RBAC & SSO
Role-based access control with SSO integration for workspaces, runs, and approval gates.
Roles
| Role | Permissions |
|---|---|
| Owner | Full workspace control: billing, SSO, members, all operations |
| Admin | Manage members, policies, connectors, agents |
| Maintainer | Approve runs, manage workflows, view audit logs |
| Developer | Trigger runs, use CLI/API, view own run history |
| Viewer | Read-only dashboard access |
SSO / SAML
Supported providers: Okta, Microsoft Entra ID, Google Workspace, OneLogin, any SAML 2.0 IdP.
- Navigate to Settings → Authentication → SSO
- Choose provider and enter metadata URL
- Map IdP groups to Cendriix roles
- Enable “Require SSO” to enforce SSO-only login
Group mapping
sso:
provider: okta
metadata_url: https://your-org.okta.com/app/.../sso/saml/metadata
group_mapping:
engineering-leads: admin
engineers: developer
sre-team: maintainer
auditors: viewerSee also: Policies, Audit log, API reference
Last updated on