# Access Control **Access Control** is where you decide who can use StepSecurity, how they sign in, and what they can do once they're in. Everything that governs identity, authentication, and authorization for your account lives here. Access Control matters most for security and platform teams who are responsible for safely onboarding engineers, granting the right level of access, and proving who did what during audits or incidents. #### How the pieces fit together Access Control breaks down into three layers that work together: * **Security & Auth** controls *how* people authenticate. This is where you turn on SSO, enable or disable email and password sign-in, decide whether GitHub login is allowed, and set the idle session timeout. * **Roles** define *what* a member is allowed to do. A role is a named set of permissions across StepSecurity features. The built-in `admin` and `auditor` roles cover most cases, and you can create custom roles for more specific needs. * **Members** are the individual users. Each member signs in using a method allowed by Security & Auth, and is assigned exactly one role that determines what they see and do. Put together, these three answer the three questions any access-control system needs to answer: *who can access StepSecurity*, *how they sign in*, and *what they can do once they're in*. #### Common starting points Most teams approach Access Control in this order: 1. **Configure Single Sign-On**. Set up SSO with Okta, Google Workspace, Microsoft Entra ID, or another identity provider so your team signs in through your existing IdP. See Security & Auth. 2. **Decide which sign-in methods to allow**. Once SSO is configured, enforce SSO and disable any other methods you don't want available. See Security & Auth. 3. **Pick or create the roles your team needs**. Start with the built-in `admin` and `auditor` roles. Create custom roles only when those don't fit. See Roles. 4. **Invite members and assign roles**. Add your team and give each person the right role. See Members. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stepsecurity.io/administration/admin-console/access-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.