Skip to Content
RBAC & SSO

RBAC & SSO

Role-based access control with SSO integration for workspaces, runs, and approval gates.

Roles

RolePermissions
OwnerFull workspace control: billing, SSO, members, all operations
AdminManage members, policies, connectors, agents
MaintainerApprove runs, manage workflows, view audit logs
DeveloperTrigger runs, use CLI/API, view own run history
ViewerRead-only dashboard access

SSO / SAML

Supported providers: Okta, Microsoft Entra ID, Google Workspace, OneLogin, any SAML 2.0 IdP.

  1. Navigate to Settings → Authentication → SSO
  2. Choose provider and enter metadata URL
  3. Map IdP groups to Cendriix roles
  4. Enable “Require SSO” to enforce SSO-only login

Group mapping

sso: provider: okta metadata_url: https://your-org.okta.com/app/.../sso/saml/metadata group_mapping: engineering-leads: admin engineers: developer sre-team: maintainer auditors: viewer

See also: Policies, Audit log, API reference

Last updated on