OpenSkillIndex← back to search
claude-code

Claude-code-plugins glean-enterprise-rbac

install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/glean-pack/skills/glean-enterprise-rbac" ~/.claude/skills/jeremylongshore-claude-code-plugins-glean-enterprise-rbac && rm -rf "$T"
manifest: plugins/saas-packs/glean-pack/skills/glean-enterprise-rbac/SKILL.md
tags
#saas#enterprise-search#glean
source content

Glean Enterprise RBAC

Overview

Glean's enterprise search aggregates content from dozens of connectors (Google Drive, Confluence, Slack, Salesforce). RBAC ensures users only see documents they are authorized to access. Permissions flow from source systems through connector-level ACLs into Glean's unified index. Misconfigured permissions mean search results leak sensitive data across teams. SOC 2 and GDPR compliance require document-level access control and full audit trails on who searched what.

Role Hierarchy

RolePermissionsScope
Super AdminCreate API tokens, manage all connectors, configure SSOOrganization-wide
AdminAdd/edit datasources, manage user groups, view analyticsAssigned datasources
Content ManagerSet document permissions, manage allowedGroups per datasourceOwn datasources
UserSearch and view permitted documentsDocuments matching ACLs
ViewerSearch only, no document previews or snippetsRestricted document set

Permission Check

async function checkDocumentAccess(userId: string, documentId: string): Promise<boolean> {
  const response = await fetch(`${GLEAN_API}/permissions/check`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ userId, documentId }),
  });
  const result = await response.json();
  return result.hasAccess ?? false;
}

Role Assignment

async function assignDatasourceRole(email: string, datasource: string, role: 'admin' | 'viewer'): Promise<void> {
  await fetch(`${GLEAN_API}/datasources/${datasource}/permissions`, {
    method: 'PUT',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ user: email, role, allowedGroups: [`${datasource}-${role}s`] }),
  });
}

async function revokeDatasourceAccess(email: string, datasource: string): Promise<void> {
  await fetch(`${GLEAN_API}/datasources/${datasource}/permissions/${email}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}` },
  });
}

Audit Logging

interface GleanAuditEntry {
  timestamp: string; userId: string; action: 'search' | 'view' | 'index' | 'permission_change';
  datasource: string; query?: string; documentId?: string; result: 'allowed' | 'denied';
}

function logSearchAccess(entry: GleanAuditEntry): void {
  console.log(JSON.stringify({ ...entry, org: process.env.GLEAN_ORG_ID }));
}

RBAC Checklist

  • Each connector maps source-system ACLs to Glean allowedGroups
  • API tokens scoped per datasource, not organization-wide
  • SAML/SSO groups synced with Glean user groups daily
  • Document-level permissions verified after each connector sync
  • Search analytics reviewed monthly for unauthorized access patterns
  • Token rotation policy enforced quarterly
  • Sensitive datasources restricted to named allowedGroups only

Error Handling

IssueCauseFix
User sees documents from wrong teamAllowedGroups not mapped to connectorReconfigure connector ACL mapping in admin console
403 Forbidden
on search API		Expired or wrong-scope API tokenRegenerate token with correct datasource scope
Stale permissions after IdP changeConnector sync lagTrigger manual resync from Glean admin
Missing search resultsOverly restrictive allowedGroupsAudit group membership against source system ACLs

Resources

Next Steps

See 

glean-security-basics
.