search
Sign up for FreeKnowledge Base

🎩Role-Based Access Control

P0 supports role-based access control to configure least-privileged access to your users.

P0 roles control what actions users can perform within the platform. You can assign roles to individual users or to identity-provider groups (such as Okta groups).

hashtag
Global roles

hashtag
Owner

Owners can add integrations and alter settings.

hashtag
Security Reviewer

Security Reviewers can review routing rules and user access (via P0 CLI), and optionally be configured as approvers for access requests in Routing Rules.

hashtag
Roles for Just-In-Time Access

Requestor

Every user that can log in to P0 is a Requestor. This is the default baseline role for your users.

hashtag
Approver

Approvers can approve access requests.

The Approver role is only in use in either of these cases:

  1. There are no routing rules in place

  2. There are routing rules in place and they explicitly reference the P0 Approver role

See Request Routing.

hashtag
Roles for IAM assessment

hashtag
Assessment Users

Assessment Users can run, manage, and view the results of environment scans.

hashtag
Assessment Viewer

Assessment Viewers can view the results of environment scans.

hashtag
Assigning roles

You can assign roles in Settings > Access control within the P0 app. Each role supports two assignment methods:

  • Members: Assign the role directly to individual user email addresses.

  • Groups: Assign the role to an identity-provider group (e.g., an Okta group). All members of that group inherit the role.

hashtag
Assigning roles with Okta groups

If your organization uses Okta as a directory integration, you can map Okta groups to P0 roles. When you assign an Okta group to a role, all members of that group automatically receive the role in P0.

circle-exclamation

Okta groups do not appear in P0 until you configure group claims on your Okta Login app. Complete the prerequisite steps below before assigning Okta groups to roles.

hashtag
Prerequisites

To use Okta group-based role assignment, configure your Okta Login app to send group claims in the authentication token:

  1. In the Okta Admin Console, navigate to Applications and select the Okta Login app used for P0 authentication.

  2. Click the Sign On tab.

  3. Click Edit in the OpenID Connect ID Token section.

  4. Under Groups claim, set the following:

    • Groups claim type: Filter

    • Groups claim filter: Enter groups as the claim name, select Matches regex, and enter .* (or a more specific regex to limit which groups are sent).

  5. Click Save.

  6. Log out of P0 and log back in to refresh your authentication token.

After completing these steps, your Okta groups appear as options when assigning groups to roles in Settings > Access control.

circle-info

The groups claim filter controls which Okta groups are included in the authentication token. Use .* to include all groups, or provide a more specific regex to limit the groups sent to P0.

hashtag
Assigning a group to a role

  1. From the P0 apparrow-up-right, navigate to Settings > Access control.

  2. Under the role you want to configure (e.g., Owners or Security Reviewers), locate the Groups field.

  3. Enter the name of the Okta group and press Enter.

  4. The group is saved automatically. All members of that group now have the assigned role in P0.

PreviousJiraNextGenerating an API key

Last updated