Claude-code-plugins-plus-skills granola-enterprise-rbac
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/granola-pack/skills/granola-enterprise-rbac" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-granola-enterprise-rbac && rm -rf "$T"
manifest:
plugins/saas-packs/granola-pack/skills/granola-enterprise-rbac/SKILL.mdsource content
Granola Enterprise RBAC
Overview
Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.
Prerequisites
- Granola Enterprise plan ($35+/user/month)
- Organization admin access
- SSO configured (Okta, Azure AD, or Google Workspace)
- SCIM provisioning enabled (recommended for automated role assignment)
Instructions
Step 1 — Understand the Role Hierarchy
Organization Owner (1-2 people) │ Full control: billing, SSO, org settings, all workspaces │ ├── Workspace Admin (per department) │ Manage workspace: members, integrations, settings │ All member capabilities │ ├── Team Lead │ View team analytics, manage folder structure │ All member capabilities │ ├── Member (default role) │ Create notes, share internally, use integrations │ ├── Viewer │ Read-only access to shared notes │ Cannot create or record meetings │ └── Guest (external) Single workspace access, read-only Time-limited (30-day default expiration)
Step 2 — Permission Matrix
| Permission | Owner | WS Admin | Lead | Member | Viewer | Guest |
|---|---|---|---|---|---|---|
| Record meetings | Yes | Yes | Yes | Yes | No | No |
| Create notes | Yes | Yes | Yes | Yes | No | No |
| Share internally | Yes | Yes | Yes | Yes | No | No |
| Share externally | Yes | Yes | Policy | Policy | No | No |
| View shared notes | Yes | Yes | Yes | Yes | Yes | Yes |
| Manage integrations | Yes | Yes | No | No | No | No |
| Manage members | Yes | Yes | No | No | No | No |
| View analytics | Yes | Yes | Yes | No | No | No |
| Configure retention | Yes | Yes | No | No | No | No |
| Manage billing | Yes | No | No | No | No | No |
| Configure SSO/SCIM | Yes | No | No | No | No | No |
Step 3 — Map SSO Groups to Roles
Configure in Organization Settings > Security > SSO > Group Mapping:
| SSO Group (IdP) | Granola Workspace | Granola Role |
|---|---|---|
| Engineering | Member |
| Engineering | Admin |
| Sales | Member |
| Sales | Admin |
| Product | Member |
| HR | Member |
| HR | Admin |
| Executive | Admin |
| Engineering | Guest |
Multi-workspace membership: A user can belong to multiple workspaces with different roles:
- Sarah Chen: Engineering (Member) + Product (Admin) + Executive (Viewer)
- Mike Johnson: Sales (Admin) + Engineering (Guest for cross-team visibility)
Step 4 — Configure Sharing Policies
Set per-workspace sharing rules to control data flow:
Standard workspaces (Engineering, Product, Sales):
Workspace Settings > Sharing: Internal sharing: Automatic within workspace members Cross-workspace: Allowed with admin approval External sharing: Allowed with link expiration (30 days) Public links: Disabled
Confidential workspaces (HR, Executive):
Workspace Settings > Sharing: Internal sharing: Manual only (no auto-share) Cross-workspace: Disabled External sharing: Disabled Public links: Disabled Note visibility: Creator + explicitly added viewers only
Step 5 — Implement Least Privilege
Follow the principle of least privilege for role assignments:
- Default new users to Member — sufficient for 90% of use cases
- Promote to Admin only for workspace managers — IT leads, department heads
- Use Viewer for stakeholders who need to read notes but not create them
- Time-limit Guest access — 30-day default, renew explicitly
- Review access quarterly:
## Quarterly Access Review Checklist - [ ] Pull current user list: Settings > Team - [ ] Verify each user's role matches current job function - [ ] Deactivate users who have left the organization - [ ] Downgrade over-privileged users (Admin → Member where appropriate) - [ ] Remove expired Guest accounts - [ ] Verify SSO group mappings match current org chart - [ ] Review sharing policy compliance per workspace - [ ] Check audit logs for unusual access patterns
Step 6 — Enable Audit Logging
Enterprise audit logging captures:
| Event | What's Logged |
|---|---|
| User login | Who, when, from where (IP) |
| Note created | Creator, meeting, workspace |
| Note shared | Sharer, recipient, method (Slack/Notion/link) |
| Note exported | Who exported, which note |
| Role changed | Admin, user affected, old role → new role |
| Integration connected/disconnected | Who, which integration |
| Workspace settings changed | Admin, what changed |
Access audit logs: Organization Settings > Security > Audit Log
Export audit logs for SIEM integration (Enterprise):
- Granola can export audit events to external systems
- Contact Granola support for Splunk/Datadog/SIEM integration
Step 7 — Handle User Lifecycle
Onboarding:
- User added to SSO group → SCIM provisions account → JIT assigns workspace + role
- First login: SSO authenticates, Granola provisions based on group mapping
- User can immediately record meetings in assigned workspaces
Role change:
- Update SSO group membership in IdP
- SCIM sync updates Granola role (within sync interval, typically 1-15 min)
- Or manually: Workspace Settings > Members > change role
Offboarding:
- Disable user in IdP → SCIM deactivates Granola account
- User loses access immediately
- Their shared notes remain visible to workspace members
- Their private notes are inaccessible (retained per retention policy)
- Reassign ownership of shared folders if needed
Output
- Role hierarchy defined and documented
- SSO group mappings configured for automated provisioning
- Per-workspace sharing policies enforced
- Audit logging enabled with SIEM export (if applicable)
- User lifecycle procedures (onboard/offboard) established
- Quarterly access review cadence scheduled
Error Handling
| Error | Cause | Fix |
|---|---|---|
| User can't access workspace | Wrong SSO group | Verify IdP group membership |
| External sharing blocked unexpectedly | Workspace policy override | Review workspace sharing settings |
| Guest access expired | 30-day time limit | Re-invite the guest or extend expiration |
| SCIM sync delayed | IdP sync interval too long | Trigger manual sync in IdP, or adjust interval |
| Orphaned accounts after termination | SCIM deprovisioning not configured | Enable deprovisioning in SCIM settings |
Resources
Next Steps
Proceed to
granola-migration-deep-dive