> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. ## Submitting Feedback If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback: POST https://docs.endorlabs.com/feedback ```json { "path": "/platform-administration/rbac/authorization-policies/index", "feedback": "Description of the issue" } ``` Only submit feedback when you have something specific and actionable to report. # Authorization policies > Learn how to manage authorization policies in Endor Labs. Authorization policies define the permissions provided to an identity authenticated by a supported identity provider when that identity meets specific rule criteria defined as attributes or claims about the identity. Authorization policies must contain the following information: * The [supported identity provider](/platform-administration/rbac/authentication-providers) through which a given identity comes from. * The [role](/platform-administration/rbac/authorization-roles) provided to an identity. * An optional expiration time for the policy. * The rule criteria or claims required for an identity to access Endor Labs. After setting up the authorization policy, you can [invite users to Endor Labs](/platform-administration/rbac/invitations). ## Set up authorization policies To set up an authorization policy to your Endor Labs tenant: 1. Sign in to Endor Labs and select **Settings** > **Access Control** from the left sidebar. 2. Select **Auth Policy** and click **Add Auth Policy**. 3. Select the identity provider for which you want to configure an authorization policy. 4. Select the role to be granted to a matching identity. 5. Select an expiration time for the authorization rule. * This may be either **No expiration**, **24 hours**, **72 hours**, **one week**, **two weeks**, or **30 days**. 6. Select the claims for which the authorization rule will provide access. * For **GitHub** and **GitLab** this may be the user's platform handle. * For **Google**, this may be the user's email address or the domain of the email address. * For a **custom identity provider**, this may be a key value pair associated with the claims provided by your external identity provider. * For **Email** this may be the email address to which an authentication link is sent. * For **GitHub Action OIDC** this may be the organization or repository for which a workload runs under. * For **AWS Role** this may be the AWS ARN of the role the machine is set to impersonate. * For **Google Cloud** this may be the principal email of a service account the workload is set to impersonate. * For **Azure** these may be the user's tenant ID, app ID, object ID, and optionally, the subscription ID. 7. Under **Advanced**, select a set of namespaces for which the authorization policy applies. If you choose to propagate this policy to all child namespaces, then the authorization policy will apply to any selected namespaces and their children. 8. Click **Add Auth Policy** to save your authorization policy. After adding the authorization policy, a user with the corresponding authorization claims can sign in to Endor Labs with their configured permissions. See [Invite users to Endor Labs](/platform-administration/rbac/invitations). ## Search authorization policies You can use the search functionality to find authorization policies based on specific criteria. To search for authorization policies: 1. Select **Settings** > **Access Control** from the left sidebar. 2. Select **Auth Policy**. 3. Use the search bar to find policies by: * **Rule**: Search policies by any text or string patterns within the rule definitions. * **Created By**: Search policies by the email address of the creator. * **Namespaces**: Search policies associated with a specific namespace. Access Control interface ### Edit authorization policies To edit an authorization policy: 1. Select **Settings** > **Access Control** from the left sidebar. 2. Select **Auth Policy**. 3. Click the vertical three dots on the right side of the policy you want to edit and click **Edit Auth Policy**. 4. You can update the identity provider, permission, expiration time, claims of key and value, and namespaces the policy applies to. 5. Click **Propagate this policy to all child namespaces** to apply this policy to all child namespaces within the hierarchy. 6. Click **Update Auth Policy**. Edit authorization policy ### Delete authorization policies To delete an authorization policy: 1. Select **Settings** > **Access Control** from the left sidebar. 2. Select **Auth Policy**. 3. Click the vertical three dots on the right side of the policy you want to delete and click **Delete Auth Policy**. 4. Click **Confirm** in **Delete Authorization Policy**. ### Grant support access You can give the Endor Labs team read-only access to your namespaces for a limited time, allowing them to offer technical support and resolve issues. You can revoke access and delete these policies at any time. See [delete authorization policy](#delete-authorization-policies) for more information. To grant support access to your namespace: 1. Select **Settings** > **Access Control** from the left sidebar. 2. Select **Auth Policy** and click **Grant Support Access**. 3. Select an expiration time for the access from the drop down menu. 4. Click **Grant Access**.