# Identity & Access Management IAM controls what users and service accounts can do in Lenses. Permissions flow from **principals → groups → roles → policies**. If any policy statement matches with `effect: deny`, access is denied. ### Common setup flow {% stepper %} {% step %} ### Configure authentication Pick Basic Auth or SSO/SAML. {% endstep %} {% step %} ### Create roles and policies Define actions, resources, and `allow`/`deny`. {% endstep %} {% step %} ### Create groups and assign roles Attach one or more roles to each group. {% endstep %} {% step %} ### Add users and service accounts to groups Membership drives permissions. {% endstep %} {% step %} ### Validate access Log in as a user and check expected visibility and actions. {% endstep %} {% endstepper %}

Topic	Description	Link
Overview	Core concepts and policy evaluation	overview
Authentication	Basic Auth, SSO/SAML, and admin accounts	authentication
Users	Create users and manage group membership	users
Service Accounts	Programmatic access via service account tokens	service-accounts
Groups	Collect principals and grant roles	groups
Roles	Create roles and attach policies	roles
IAM Reference	All actions and resource formats	iam-reference
Example Policies	Ready-to-use role templates	example-policies