> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pwnbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Permissions

> Pwnbook uses a role-based access control system within organizations. Understand what each role can do and how to configure custom roles, SSO, and 2FA.

## Built-in roles

Every organization member is assigned one of three built-in roles:

<CardGroup cols={3}>
  <Card title="Owner" icon="crown">
    Full administrative control. Can manage billing, delete the organization, and perform all admin and member actions.
  </Card>

  <Card title="Admin" icon="user-gear">
    Can manage members, configure integrations, create and archive engagements, and access all engagement data.
  </Card>

  <Card title="Member" icon="user">
    Can participate in engagements they have access to. Can create tasks, write wiki pages, and run API requests.
  </Card>
</CardGroup>

## Permission matrix

The table below summarizes what each built-in role can do:

| Action                 | Member | Admin | Owner |
| ---------------------- | :----: | :---: | :---: |
| View engagements       |    ✓   |   ✓   |   ✓   |
| Create engagements     |    ✓   |   ✓   |   ✓   |
| Archive engagements    |        |   ✓   |   ✓   |
| Delete engagements     |        |   ✓   |   ✓   |
| Invite members         |        |   ✓   |   ✓   |
| Remove members         |        |   ✓   |   ✓   |
| Change member roles    |        |   ✓   |   ✓   |
| Configure integrations |        |   ✓   |   ✓   |
| Manage API keys        |        |   ✓   |   ✓   |
| View billing           |        |   ✓   |   ✓   |
| Manage billing         |        |       |   ✓   |
| Configure SSO          |        |   ✓   |   ✓   |
| Enforce 2FA            |        |   ✓   |   ✓   |
| Delete organization    |        |       |   ✓   |
| Transfer ownership     |        |       |   ✓   |

## Custom roles

<Note>Custom roles are available on the Business and Enterprise plans.</Note>

If the built-in roles don't match your team structure, you can create custom roles with fine-grained permission sets.

To create a custom role:

1. Go to **Organization Settings** → **Roles**.
2. Click **Create Custom Role**.
3. Enter a name for the role (e.g., "Report Reviewer" or "Recon Operator").
4. Toggle individual permissions on or off.
5. Click **Save Role**.

Custom roles can be assigned to members just like built-in roles.

## Two-factor authentication (2FA)

Pwnbook supports two-factor authentication for all user accounts, managed through WorkOS.

### Enforcing 2FA for your organization

Owners and admins can require all organization members to have 2FA enabled:

1. Go to **Organization Settings** → **Security**.
2. Toggle **Require Two-Factor Authentication**.
3. Save your settings.

When 2FA enforcement is enabled, any member without 2FA configured will be prompted to set it up before they can access the organization.

### Setting up 2FA as a user

1. Go to your **Account Settings**.
2. Under **Security**, click **Set Up Two-Factor Authentication**.
3. Scan the QR code with your authenticator app (e.g., 1Password, Authy, Google Authenticator).
4. Enter the verification code to confirm setup.

## Single Sign-On (SSO)

<Note>SSO is available on the Business and Enterprise plans.</Note>

Pwnbook supports SSO via WorkOS, which provides integrations with identity providers such as Okta, Azure AD, Google Workspace, and any SAML 2.0 or OIDC-compatible IdP.

### Configuring SSO

1. Go to **Organization Settings** → **Security** → **Single Sign-On**.
2. Click **Configure SSO**.
3. Select your identity provider from the list.
4. Follow the setup wizard, which provides the ACS URL and Entity ID you'll need to configure on your IdP side.
5. After configuring your IdP, paste the metadata URL or upload the metadata XML into Pwnbook.
6. Click **Test Connection** to verify the configuration.
7. Enable SSO for your organization.

Once SSO is enabled, members can log in via your identity provider. You can optionally require SSO for all members, which prevents password-based logins.

### SSO provisioning

When configured with directory sync (SCIM), Pwnbook can automatically provision and deprovision user accounts based on your identity provider's user directory. Contact support for help configuring SCIM provisioning.
