# Role-Based Access Control P0 roles control what actions users can perform within the platform. You can assign roles to individual users or to identity-provider groups (such as Okta groups). ### Global roles #### Owner Owners can add integrations and alter settings. #### Security Reviewer Security Reviewers can review access policies and user access (via P0 CLI), and you can optionally configure them as approvers for access requests in [Access Policies](/access-management/just-in-time-access/request-routing.md). ### Roles for Just-In-Time Access **Requestor** Every user that can log in to P0 is a Requestor. This is the default baseline role for your users. #### Approver Approvers can approve access requests. The Approver role is only in use in either of these cases: 1. There are no access policies in place 2. There are access policies in place and they explicitly reference the P0 Approver role See [Access Policies](/access-management/just-in-time-access/request-routing.md). ### Roles for IAM assessment #### **Assessment Users** Assessment Users can run, manage, and view the results of environment scans. #### **Assessment Viewer** Assessment Viewers can view the results of environment scans. ## Assigning roles You can assign roles in **P0 Management** > **Access control** within the P0 app. Each role supports two assignment methods: * **Users:** Assign the role directly to individual user email addresses. * **Groups:** Assign the role to an identity-provider group (e.g., an Okta group). All members of that group inherit the role. ## Assigning roles with Okta groups If your organization uses [Okta](/integrations/directory-integrations/okta.md) as a directory integration, you can map Okta groups to P0 roles. When you assign an Okta group to a role, all members of that group automatically receive the role in P0. {% hint style="warning" %} Okta groups do not appear in P0 until you configure group claims on your Okta Login app. Complete the prerequisite steps below before assigning Okta groups to roles. {% endhint %} ### Prerequisites To use Okta group-based role assignment, configure your Okta Login app to send group claims in the authentication token: 1. In the Okta Admin Console, navigate to **Applications** and select the Okta Login app used for P0 authentication. 2. Click the **Sign On** tab. 3. Click **Edit** in the **OpenID Connect ID Token** section. 4. Under **Groups claim**, set the following: * **Groups claim type:** Filter * **Groups claim filter:** Enter `groups` as the claim name, select **Matches regex**, and enter `.*` (or a more specific regex to limit which groups are sent). 5. Click **Save**. 6. Log out of P0 and log back in to refresh your authentication token. After completing these steps, your Okta groups appear as options when assigning groups to roles in **P0 Management** > **Access control**. {% hint style="info" %} The groups claim filter controls which Okta groups are included in the authentication token. Use `.*` to include all groups, or provide a more specific regex to limit the groups sent to P0. {% endhint %} ### Assigning a group to a role 1. From the [P0 app](https://p0.app), navigate to **P0 Management** > **Access control**. 2. Under the role you want to configure (e.g., **Owners** or **Security Reviewers**), locate the **Groups** field. 3. Enter the name of the Okta group and press Enter. 4. The group is saved automatically. All members of that group now have the assigned role in P0. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/p0-management/role-based-access-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.