# Identity & Access Management

IAM controls what users and service accounts can do in Lenses. Permissions flow from **principals → groups → roles → policies**. If any policy statement matches with `effect: deny`, access is denied.

### Common setup flow

{% stepper %}
{% step %}

### Configure authentication

Pick Basic Auth or SSO/SAML.
{% endstep %}

{% step %}

### Create roles and policies

Define actions, resources, and `allow`/`deny`.
{% endstep %}

{% step %}

### Create groups and assign roles

Attach one or more roles to each group.
{% endstep %}

{% step %}

### Add users and service accounts to groups

Membership drives permissions.
{% endstep %}

{% step %}

### Validate access

Log in as a user and check expected visibility and actions.
{% endstep %}
{% endstepper %}

<table data-view="cards"><thead><tr><th>Topic</th><th>Description</th><th data-hidden data-card-target data-type="content-ref">Link</th></tr></thead><tbody><tr><td><strong>Overview</strong></td><td>Core concepts and policy evaluation</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/koj4U48JWNfhUiXqbKfJ">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/koj4U48JWNfhUiXqbKfJ</a></td></tr><tr><td><strong>Authentication</strong></td><td>Basic Auth, SSO/SAML, and admin accounts</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/n2p0rsftDOilihkcOq8Z">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/n2p0rsftDOilihkcOq8Z</a></td></tr><tr><td><strong>Users</strong></td><td>Create users and manage group membership</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/tWcKlBOoR8EWNmbUBIil">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/tWcKlBOoR8EWNmbUBIil</a></td></tr><tr><td><strong>Service Accounts</strong></td><td>Programmatic access via service account tokens</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/yQ32V4nPfD2yMJvxiEBo">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/yQ32V4nPfD2yMJvxiEBo</a></td></tr><tr><td><strong>Groups</strong></td><td>Collect principals and grant roles</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/tbL8iJnOq7zcEWxRwdEO">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/tbL8iJnOq7zcEWxRwdEO</a></td></tr><tr><td><strong>Roles</strong></td><td>Create roles and attach policies</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/vJvCPzLCXxwX72tJ5yWO">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/vJvCPzLCXxwX72tJ5yWO</a></td></tr><tr><td><strong>IAM Reference</strong></td><td>All actions and resource formats</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/YkfpTGXlLrNjL7oHlbh4">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/YkfpTGXlLrNjL7oHlbh4</a></td></tr><tr><td><strong>Example Policies</strong></td><td>Ready-to-use role templates</td><td><a href="/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/MP0dM2BMUvFr3yce8yQN">/spaces/NwC1VSrH2RhBa4WJMBdQ/pages/MP0dM2BMUvFr3yce8yQN</a></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.lenses.io/latest/devx/6.1/user-guide/iam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.