Skip to Content
MergeLoom MergeLoom Docs

Account Access and SSO

Account and access controls decide who can use a MergeLoom workspace and whose tickets can trigger automation.

Open the customer controller, then go to Account & Access.

Roles

Section titled “Roles”
RoleWhat the user can do
Workspace adminChange integrations, repository settings, workflow rules, prompts, notifications, access, execution mode, and billing.
Workspace userView the workspace and run-visible information. Can be an assigned requester for eligible ticket intake. Configuration is read-only.

MergeLoom also has an internal platform admin UI at /admin. That is for MergeLoom operators, not normal customer workspace administration.

Invitations

Section titled “Invitations”

Workspace admins can invite users by email. The invite flow creates a workspace user and applies the selected role after the invite is accepted.

Business email guardrails can reject consumer or disposable email domains depending on workspace and platform policy. If an invite fails, check the email domain first.

Assignment Checks

Section titled “Assignment Checks”

MergeLoom enforces assigned-user intake for current ticket workflows. A ticket or issue must be assigned to a user who belongs to the MergeLoom workspace when the provider exposes assignment information.

If the ticket is assigned to someone outside the workspace, MergeLoom should leave the item in place, record the denial in controller-side audit, and avoid starting work.

SSO

Section titled “SSO”

Where enabled, Account & Access can configure OIDC SSO for the workspace.

Typical setup requires:

  • issuer URL
  • client ID
  • client secret
  • callback or redirect URL from the MergeLoom controller
  • allowed email domains or group rules where configured

SAML and directory group lookup availability should be confirmed with MergeLoom before documenting a rollout plan. The current codebase clearly shows OIDC-backed workspace access; broader SSO/provider availability may depend on plan and environment.

Cloud Hosted and Self Hosted

Section titled “Cloud Hosted and Self Hosted”

Access controls are controller-owned in both deployment modes.

Self Hosted workers do not include their own app-native SSO layer. Protect the Local Worker UI through your infrastructure boundary, SSH tunneling, VPN, private ingress, identity-aware proxy, or another approved access control.

Troubleshooting

Section titled “Troubleshooting”
SymptomCheck
User cannot change settingsUser is not a workspace admin.
Ticket is denied even though labels matchTicket is not assigned to a MergeLoom workspace user.
Invite is rejectedEmail domain is consumer, disposable, blocked, or not allowed by policy.
SSO login failsIssuer, callback URL, client credentials, and email domain mapping.