OpenSkillIndex← back to search
claude-code

Claude-code-plugins lindy-enterprise-rbac

install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/lindy-pack/skills/lindy-enterprise-rbac" ~/.claude/skills/jeremylongshore-claude-code-plugins-lindy-enterprise-rbac && rm -rf "$T"
manifest: plugins/saas-packs/lindy-pack/skills/lindy-enterprise-rbac/SKILL.md
tags
#saas#lindy#security#rbac
source content

Lindy Enterprise RBAC

Overview

Lindy organizes access around workspaces where agents live. Team members are assigned roles that control who can create, modify, run, or observe agents and their execution history. Enterprise features add SSO, SCIM, audit logs, and granular permission controls.

Prerequisites

  • Lindy Team ($49.99/mo + $19.99/seat) or Enterprise plan
  • Workspace owner privileges
  • Team members invited to the workspace

Lindy Role Model

RoleCreate AgentsEdit AgentsRun AgentsView TasksManage Team
OwnerYesYesYesYesYes
EditorYesYesYesYesNo
ViewerNoNoNoYesNo

Instructions

Step 1: Map Organizational Roles to Lindy Roles

Org RoleLindy RoleRationale
Engineering LeadOwnerFull workspace control
DeveloperEditorBuild and modify agents
Ops/SupportEditorRun agents and configure workflows
ManagerViewerMonitor task execution and metrics
StakeholderViewerRead-only access to results

Step 2: Invite Team Members

  1. Go to Settings > Team in the Lindy dashboard
  2. Click Invite Member
  3. Enter email address
  4. Select role: Owner, Editor, or Viewer
  5. Confirm invitation

Pro plan: Each additional seat costs $19.99/month Enterprise plan: Custom pricing with bulk seat discounts

Step 3: Organize Agents with Folders

Use folders to organize agents by team, function, or environment:

Workspace: Acme Corp Production
├── Support/
│   ├── Email Triage Agent
│   ├── FAQ Chatbot
│   └── Escalation Agent
├── Sales/
│   ├── Lead Router
│   ├── Follow-up Agent
│   └── Meeting Scheduler
├── Operations/
│   ├── Daily Report Agent
│   ├── Monitoring Agent
│   └── Data Pipeline Agent
└── Shared/
    ├── Knowledge Base Agent
    └── Notification Agent

Folder permissions: Share folders with specific team members to control visibility. Agents in private folders are only visible to the folder owner.

Step 4: Agent Sharing Controls

Each agent can be shared independently:

Sharing LevelWho Gets ItWhat They Can Do
Edit accessTeam collaboratorsEdit agent, see all tasks
User accessAgent consumersRun agent, trigger workflows
TemplateAnyone with linkMake a copy (no access to original)

Step 5: Connection Sharing

Control which team members can use shared integration connections:

  • Private connections: Only the connection creator can use them
  • Shared connections: Any team member can use them in their agents
  • Recommendation: Keep sensitive connections (payment gateways, databases) private

Step 6: API Key Isolation

Create separate API keys per integration purpose:

API KeyPurposeScopeRotation
lnd_prod_app_xxxx
Application webhook triggersProduction only90 days
lnd_prod_ci_xxxx
CI/CD smoke testsTest agents only90 days
lnd_prod_monitor_xxxx
Monitoring/observabilityRead-only90 days

Revoke keys immediately when a team member with access leaves the organization.

Step 7: Enterprise Security Features

SSO (Single Sign-On):

  • SAML-based authentication
  • Configure in Enterprise settings
  • Users authenticate through your identity provider
  • Automatic session management

SCIM (User Provisioning):

  • Automated user creation and deactivation
  • Sync with your identity provider (Okta, Azure AD, etc.)
  • When an employee leaves, SCIM automatically revokes Lindy access
  • Group mappings to Lindy roles

Audit Logs:

  • Complete activity trail for compliance
  • Track who created, modified, or deleted agents
  • Track who accessed task data
  • Export for security review

Encryption:

  • AES-256 encryption at rest
  • TLS encryption in transit
  • No data sharing between workspaces

Step 8: Offboarding Procedure

When a team member leaves:

  1. SCIM auto-deactivates their account (Enterprise) or manually remove
  2. Revoke any API keys they had access to
  3. Transfer ownership of agents they created
  4. Review and re-authorize any integrations they set up
  5. Audit recent task history for their agents

Access Control Checklist

  • Team roles mapped to Lindy roles
  • All team members invited with appropriate role
  • Agents organized in folders by team/function
  • Sensitive agents in private folders
  • Connections shared only as needed
  • Separate API keys per integration purpose
  • Key rotation schedule (90-day max)
  • Enterprise: SSO enabled
  • Enterprise: SCIM configured
  • Enterprise: Audit log review scheduled (monthly)
  • Offboarding procedure documented

Error Handling

IssueCauseSolution
403 Forbidden
on agent create		User has Viewer rolePromote to Editor
Agent not visible to teammateAgent in private folderMove to shared folder
API key returns 
401
Key revoked or expiredGenerate new key
Cannot delete workspaceNot the OwnerTransfer ownership first
SSO login failsSAML misconfiguredVerify IdP metadata and assertions
SCIM not syncingEndpoint URL wrongCheck SCIM endpoint in IdP config

Resources

Next Steps

Proceed to 

lindy-migration-deep-dive
for platform migration strategies.