Team & RBAC
Manage who has access to your DocuGardener workspace and what they can do.
Roles
DocuGardener uses role-based access control (RBAC) with four predefined roles. Every team member is assigned exactly one role.
| Role | Description |
|---|---|
| Admin | Full access. Can manage repos, triage findings, view audit logs, manage billing, and invite or remove team members. |
| Member | Day-to-day user. Can view the dashboard and triage findings (apply fixes, dismiss, or mark as no-update-needed). |
| Auditor | Read-only compliance role. Can view the dashboard and access the audit log. Cannot triage findings or change settings. |
| Billing Admin | Can view the dashboard and manage billing (upgrade/downgrade plans, update payment methods). Cannot triage or change settings. |
Permissions Matrix
| Action | Admin | Member | Auditor | Billing Admin |
|---|---|---|---|---|
| Manage repositories | ✓ | — | — | — |
| Triage inbox (apply fix, dismiss) | ✓ | ✓ | — | — |
| View dashboard | ✓ | ✓ | ✓ | ✓ |
| View audit log | ✓ | — | ✓ | — |
| Manage billing | ✓ | — | — | ✓ |
| Invite / remove users | ✓ | — | — | — |
| Configure settings | ✓ | — | — | — |
| Configure agent governance | ✓ | — | — | — |
| Define documentation policies | ✓ | — | — | — |
Inviting Team Members
Admins can invite new team members from Settings → Team → Invite by email. The invited user receives an email with a link to join the workspace. You choose the role at invite time — it can be changed later.
SSO & SCIM (TEAM Plan)
Teams on the TEAM plan can configure SAML-based single sign-on (SSO) and SCIM 2.0 user provisioning. This allows you to:
- Enforce login through your identity provider (Okta, Azure AD, Google Workspace, etc.).
- Automatically create and deactivate DocuGardener accounts as users are added or removed in your IdP directory.
- Map IdP groups to DocuGardener roles.
To configure SSO, go to Settings → Team → SSO Configuration and follow the guided setup. You will need the SAML metadata URL or XML from your identity provider.
Authentication Methods
DocuGardener supports three authentication methods out of the box:
| Method | Available On | Notes |
|---|---|---|
| GitHub OAuth | All plans | Default. Uses your GitHub identity. |
| Email magic link | All plans | Passwordless email sign-in. |
| SAML SSO | TEAM plan only | Enterprise IdP integration with SCIM provisioning. |