# Role-Based Access Control P0 roles control what actions users can perform within the platform. You can assign roles to individual users or to identity-provider groups (such as Okta groups). ### Global roles #### Owner Owners can add integrations and alter settings. #### Security Reviewer Security Reviewers can review routing rules and user access (via P0 CLI), and optionally be configured as approvers for access requests in [Routing Rules](https://docs.p0.dev/orchestration/just-in-time-access/request-routing). ### Roles for Just-In-Time Access **Requestor** Every user that can log in to P0 is a Requestor. This is the default baseline role for your users. #### Approver Approvers can approve access requests. The Approver role is only in use in either of these cases: 1. There are no routing rules in place 2. There are routing rules in place and they explicitly reference the P0 Approver role See [request-routing](https://docs.p0.dev/orchestration/just-in-time-access/request-routing "mention"). ### Roles for IAM assessment #### **Assessment Users** Assessment Users can run, manage, and view the results of environment scans. #### **Assessment Viewer** Assessment Viewers can view the results of environment scans. ## Assigning roles You can assign roles in **Settings** > **Access control** within the P0 app. Each role supports two assignment methods: * **Members:** Assign the role directly to individual user email addresses. * **Groups:** Assign the role to an identity-provider group (e.g., an Okta group). All members of that group inherit the role. ## Assigning roles with Okta groups If your organization uses [Okta](https://docs.p0.dev/integrations/directory-integrations/okta) as a directory integration, you can map Okta groups to P0 roles. When you assign an Okta group to a role, all members of that group automatically receive the role in P0. {% hint style="warning" %} Okta groups do not appear in P0 until you configure group claims on your Okta Login app. Complete the prerequisite steps below before assigning Okta groups to roles. {% endhint %} ### Prerequisites To use Okta group-based role assignment, configure your Okta Login app to send group claims in the authentication token: 1. In the Okta Admin Console, navigate to **Applications** and select the Okta Login app used for P0 authentication. 2. Click the **Sign On** tab. 3. Click **Edit** in the **OpenID Connect ID Token** section. 4. Under **Groups claim**, set the following: * **Groups claim type:** Filter * **Groups claim filter:** Enter `groups` as the claim name, select **Matches regex**, and enter `.*` (or a more specific regex to limit which groups are sent). 5. Click **Save**. 6. Log out of P0 and log back in to refresh your authentication token. After completing these steps, your Okta groups appear as options when assigning groups to roles in **Settings** > **Access control**. {% hint style="info" %} The groups claim filter controls which Okta groups are included in the authentication token. Use `.*` to include all groups, or provide a more specific regex to limit the groups sent to P0. {% endhint %} ### Assigning a group to a role 1. From the [P0 app](https://p0.app), navigate to **Settings** > **Access control**. 2. Under the role you want to configure (e.g., **Owners** or **Security Reviewers**), locate the **Groups** field. 3. Enter the name of the Okta group and press Enter. 4. The group is saved automatically. All members of that group now have the assigned role in P0.