Merge pull request #3956 from ClickHouse/Blargian-patch-40

Blargian · web-flow · commit 518e350b8f36 · 2025-06-17T23:11:31.000+02:00
Update saml-sso-setup.md
diff --git a/docs/cloud/security/cloud-access-management/cloud-access-management.md b/docs/cloud/security/cloud-access-management/cloud-access-management.md
@@ -16,7 +16,7 @@ Configure Organization and Service role assignments within the Console > Users a
 
 Users must be assigned an organization level role and may optionally be assigned service roles for one or more services. Service roles may be optionally configured for users to access the SQL console in the service settings page.
 - Users assigned the Organization Admin role are granted Service Admin by default.
-- Users added to an organization via a SAML integration are automatically assigned the Member role.
+- Users added to an organization via a SAML integration are automatically assigned the Member role, with least privilege and without access to any services until configured.
 - Service Admin is assigned the SQL console admin role by default. SQL console permissions may be removed in the service settings page.
 
 
diff --git a/docs/cloud/security/saml-sso-setup.md b/docs/cloud/security/saml-sso-setup.md
@@ -344,7 +344,9 @@ We only utilize service provider initiated SSO. This means users go to `https://
 
 ### Assigning User Roles {#assigning-user-roles}
 
-Users will appear in your ClickHouse Cloud console after they are assigned to your IdP application and log in for the first time. At least one SSO user should be assigned the Admin role in your organization. Use social login or `https://console.clickhouse.cloud/?with=email` to log in with your original authentication method to update your SSO role.
+Users will appear in your ClickHouse Cloud console after they are assigned to your IdP application and log in for the first time. At least one SSO user should be assigned the Admin role in your organization and additional users that login with SSO will be created with the role of ["Member"](/cloud/security/cloud-access-management/overview#console-users-and-roles), meaning that by default they do not have access to any services and should have their access and roles updated by an Admin.
+
+Use social login or `https://console.clickhouse.cloud/?with=email` to log in with your original authentication method to update your SSO role.
 
 ### Removing Non-SSO Users {#removing-non-sso-users}
 
