Symptom
User reports one or more of the following:
- Login fails.
- SSO sign-in fails.
- Role is not assigned correctly.
- Permission denied when performing expected action.
Diagnosis steps
- Confirm user identity, email, and workspace.
- Check current role assignment in admin console.
- Verify SSO configuration and recent identity provider changes.
- Reproduce denied action with role matrix reference.
- Check if issue is isolated to one user or group.
Root cause
- User not provisioned in target workspace.
- Role missing or incorrectly assigned.
- SSO claim mismatch or expired session.
- Permission policy not aligned with required action.
Resolution
Login or SSO failure
- Confirm user account is active.
- Ask user to re-authenticate and clear stale session.
- Validate SSO claims mapping for required attributes.
Role not assigned
- Assign correct role based on task requirements.
- Ask user to sign out and sign in again.
- Confirm updated role appears in user profile.
Permission denied
- Compare requested action against role matrix.
- If expected, update role assignment.
- Re-test action and confirm success.
Escalation
Escalate when:
- SSO errors persist after claim and session validation.
- Role updates do not propagate.
- Permission denial impacts multiple users unexpectedly.
Escalate to:
- L2 Support for identity and policy diagnostics.
- Engineering for authorization service defects.
Include:
- Workspace ID, user ID, role assignment history.
- SSO provider logs and timestamp.
- Exact denied action and error text.