> ## Documentation Index
> Fetch the complete documentation index at: https://docs.junojourney.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Security

> Configure user roles, SSO, audit logs, and security settings.

export const InternalNote = ({children}) => {
  const [isInternal, setIsInternal] = useState(false);
  useEffect(() => {
    const user = window.__mintlify_user__;
    if (user?.groups?.includes("internal")) setIsInternal(true);
  }, []);
  if (!isInternal) return null;
  return <div className="internal-note">
      <strong className="internal-note-title">🔒 Internal Note</strong>
      <div>{children}</div>
    </div>;
};

## Role hierarchy

| Level | Role        | Access                                  |
| ----- | ----------- | --------------------------------------- |
| 1     | **Learner** | Default — access learning and goals     |
| 3     | **Manager** | Team management, assignments, analytics |
| 5     | **Admin**   | Full platform administration            |
| 6     | **Owner**   | Highest level, all permissions          |
| 99    | **Blocked** | Can authenticate but sees no content    |

***

## Scoped roles

In addition to the main role level, admins can assign **domain-based roles** that give focused permissions:

| Domain          | What it covers                         |
| --------------- | -------------------------------------- |
| **People**      | HR and people management               |
| **Budget**      | Financial and budget management        |
| **Development** | Learning and development configuration |
| **Platform**    | Platform customization and settings    |

Special roles: **IT Admin** (users and security), **Buyer** (budget and purchasing), **Translator** (content translation).

***

## Security settings

Access security configuration at **Admin → Security** (`/admin/security`):

### SSO configuration

* Configure SAML/SSO integrations (Okta, Azure AD, Google, etc.)
* Set up identity provider connections
* Test SSO flow

### Users sync

* Sync users from SSO providers
* Schedule automatic sync intervals
* View sync logs

### Audit logs

* View system audit trail
* Track who did what, when
* Filter by action, user, or date

### Developer settings

* Manage API keys
* Configure webhooks

<InternalNote>
  SSO config lives in tenant Firebase auth settings. SAML fields: cert, entryPoint, issuer, callbackUrl, attributesMapping. See [SSO Troubleshooting runbook](/internal/runbooks/sso-troubleshooting) for debugging. Enable `TenantAuth.saml.logProfile = true` to log SAML assertions.
</InternalNote>
