> ## Documentation Index
> Fetch the complete documentation index at: https://docs.minimus.io/llms.txt
> Use this file to discover all available pages before exploring further.

# User Roles

> Roles define and manage user access permissions for Minimus users

Roles are used to control user access permissions. The following table shows a comparison of Minimus user roles.

| **Feature**                                          | **Viewer** | **Operator** | **Admin** |
| :--------------------------------------------------- | :--------- | :----------- | :-------- |
| [Image Gallery](/gallery)                            | ✅          | ✅            | ✅         |
| [Image Creator](/advanced-tooling/image-creator)     | RO         | RW           | RW        |
| [Actions](/remediate/actions)                        | RO         | RW           | RW        |
| [Self-hosted Registry](/manage/self-hosted-registry) | ⛔          | ✅            | ✅         |
| [User Management](/manage/users) + [SAML](/sso/saml) | ⛔          | ⛔            | RW        |
| [Token Management](/manage/token)                    | RO         | RW           | RW        |
| [Helm Charts](/foundations/helm-charts)              | ✅          | ✅            | ✅         |
| [Activity Logs](/manage/activity-log)                | ⛔          | ⛔            | ✅         |

* RO stands for Read-only
* RW stands for Read and Write

## Highest role "wins"

If a SAML user belongs to multiple groups with competing roles, Minimus will assign the highest available role. The calculation is done at runtime.

Assigning the highest role provides a clear and predictable method for resolving overlapping permissions. This approach prevents accidental loss of required access and avoids ambiguity. It also simplifies permission evaluation and makes access configurations easier for administrators and users to understand.

## New group assignment

Group membership cannot reduce a user’s permissions. You can be confident that adding an existing SAML user to another group will not unintentionally reduce their role.

## SAML user role

Typically, SAML user roles are managed via groups. However, you have the option to elevate a specific user's role independently of any group. [Instructions](/manage/users#elevate-user-role)

## Troubleshooting SAML user permissions

1. In case of recent SAML changes, ask the user to log out then log back in. SAML changes only take effect when the user logs in.

   <img src="https://mintcdn.com/gutsy-6162adbc/E_5Ev-QfXdYyTJ22/images/sso-sign-in.png?fit=max&auto=format&n=E_5Ev-QfXdYyTJ22&q=85&s=8e94b7c830344653cc85a9705c5066fe" alt="SSO Sign In" width="1655" height="1225" data-path="images/sso-sign-in.png" />
2. Make sure the group is correctly configured in the Minimus SAML form. [Learn more](/sso/okta)

   <img src="https://mintcdn.com/gutsy-6162adbc/4UNrTUUFokLD-S84/images/configure-saml-groups.png?fit=max&auto=format&n=4UNrTUUFokLD-S84&q=85&s=02feb7d41fa2efba1ec31efffbc6a886" alt="Configure SAML Groups" width="2168" height="1229" data-path="images/configure-saml-groups.png" />
3. Check for a SAML user role override in the users page. [Learn more](/manage/users#elevate-user-role)

   <img src="https://mintcdn.com/gutsy-6162adbc/E_5Ev-QfXdYyTJ22/images/saml-user-rule-override.png?fit=max&auto=format&n=E_5Ev-QfXdYyTJ22&q=85&s=bc3aefa55c5c77b0d57855a93baa7540" alt="SAML User Rule Override" width="1872" height="919" data-path="images/saml-user-rule-override.png" />