Claude-code-plugins-plus-skills lokalise-enterprise-rbac
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/lokalise-pack/skills/lokalise-enterprise-rbac" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-lokalise-enterprise-rbac && rm -rf "$T"
manifest:
plugins/saas-packs/lokalise-pack/skills/lokalise-enterprise-rbac/SKILL.mdsource content
Lokalise Enterprise RBAC
Overview
Manage fine-grained access to Lokalise translation projects using its built-in role hierarchy, language-level scoping, contributor groups, and organization-level SSO enforcement. Lokalise has four core roles — owner, admin, manager-level (via admin_rights), and contributor (translator/reviewer) — each configurable per project and per language.
Prerequisites
- Lokalise Team or Enterprise plan (contributor groups and SSO require Team+)
- Owner or Admin role in the Lokalise organization
environment variable set (admin-level token)LOKALISE_API_TOKEN
SDK or@lokalise/node-api
+curl
for REST API accessjq
Instructions
Step 1: Understand the Role Hierarchy
Lokalise uses a flat role model per project, controlled by three boolean flags on each contributor:
| Role | | | Can translate | Can review | Can manage keys | Can manage contributors |
|---|---|---|---|---|---|---|
| Admin | | | Yes | Yes | Yes | Yes |
| Manager | | | Yes | Yes | Limited (via | No |
| Reviewer | | | Yes | Yes | No | No |
| Translator | | | Yes | No | No | No |
At the team level, users are either
adminmemberStep 2: Add Contributors with Language Scoping
import { LokaliseApi } from '@lokalise/node-api'; const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! }); // Add a translator restricted to French and Spanish only await lok.contributors().create(PROJECT_ID, [{ email: 'translator@agency.com', fullname: 'Marie Dupont', is_admin: false, is_reviewer: false, languages: [ { lang_iso: 'fr', is_writable: true }, { lang_iso: 'es', is_writable: true }, ], }]); // Add a reviewer who can review all languages but only translate German await lok.contributors().create(PROJECT_ID, [{ email: 'reviewer@company.com', fullname: 'Hans Mueller', is_admin: false, is_reviewer: true, languages: [ { lang_iso: 'de', is_writable: true }, { lang_iso: 'fr', is_writable: false }, // Can review but not edit { lang_iso: 'es', is_writable: false }, ], }]);
Step 3: Manage Team-Level Users and Roles
set -euo pipefail TEAM_ID="YOUR_TEAM_ID" # List all team members with their roles curl -s -X GET "https://api.lokalise.com/api2/teams/${TEAM_ID}/users" \ -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ | jq '.team_users[] | {user_id: .user_id, email: .email, role: .role}' # Demote a user from admin to member curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/users/USER_ID" \ -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"role": "member"}'
Step 4: Create Contributor Groups for Bulk Management
Groups let you assign the same permissions to multiple people at once. When you add a user to a group, they inherit the group's language scope and role across all projects the group is assigned to.
set -euo pipefail TEAM_ID="YOUR_TEAM_ID" # Create a group for APAC translators curl -s -X POST "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \ -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ -H "Content-Type: application/json" \ -d '{ "name": "APAC Translators", "is_reviewer": false, "is_admin": false, "admin_rights": [], "languages": [ {"lang_iso": "ja", "is_writable": true}, {"lang_iso": "ko", "is_writable": true}, {"lang_iso": "zh_CN", "is_writable": true} ] }' # Add a member to the group GROUP_ID=$(curl -s "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \ -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ | jq -r '.groups[] | select(.name == "APAC Translators") | .group_id') curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/members/add" \ -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"users": [12345, 67890]}' # Assign the group to specific projects curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/projects/add" \ -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"projects": ["PROJECT_ID_1", "PROJECT_ID_2"]}'
Step 5: Configure SSO (Enterprise Plan Only)
SSO is configured in the Lokalise dashboard, not via API. Map your IdP groups to Lokalise roles:
- Navigate to Organization Settings > Single Sign-On
- Select SAML 2.0 and enter your IdP metadata URL
- Map IdP groups to Lokalise roles:
-> AdminEngineering-Localization
-> Contributor group "EMEA Translators"Translators-EMEA
-> ReviewerProduct-Managers
- Enable Enforce SSO to block password-based login for all org members
- Set Default Role for new SSO users (recommend: member with no project access)
ACS URL format:
https://app.lokalise.com/sso/saml/YOUR_TEAM_ID/callbackStep 6: Audit Permissions Regularly
import { LokaliseApi } from '@lokalise/node-api'; const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! }); async function auditPermissions() { const projects = await lok.projects().list({ limit: 100 }); const report: Array<{project: string; issue: string; detail: string}> = []; for (const proj of projects.items) { const contributors = await lok.contributors().list({ project_id: proj.project_id, limit: 500, }); // Flag: too many admins const admins = contributors.items.filter(c => c.is_admin); if (admins.length > 3) { report.push({ project: proj.name, issue: 'Excessive admins', detail: `${admins.length} admins: ${admins.map(a => a.email).join(', ')}`, }); } // Flag: contributors with no language scope (can see all languages) const unscopedTranslators = contributors.items.filter( c => !c.is_admin && (!c.languages || c.languages.length === 0) ); if (unscopedTranslators.length > 0) { report.push({ project: proj.name, issue: 'Unscoped contributors', detail: `${unscopedTranslators.length} users can access all languages`, }); } // Respect rate limit await new Promise(r => setTimeout(r, 200)); } console.table(report); return report; } await auditPermissions();
Step 7: Set Up Webhook for Access Change Notifications
set -euo pipefail # Get notified when contributors are added or removed curl -s -X POST "https://api.lokalise.com/api2/projects/${PROJECT_ID}/webhooks" \ -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ -H "Content-Type: application/json" \ -d '{ "url": "https://hooks.company.com/lokalise-audit", "events": [ "project.contributor_added", "project.contributor_deleted", "project.contributor_added_to_language", "project.contributor_deleted_from_language" ] }'
Output
- Contributors added with explicit language scoping (no unscoped access)
- Contributor groups created for bulk role management across projects
- Team-level roles configured (admin vs. member distinction)
- SSO configured with IdP group-to-role mapping (Enterprise)
- Audit script identifying over-privileged users and unscoped contributors
- Webhook configured for access change notifications
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| Caller lacks Admin role on the project | Use an admin-level token or get elevated by an Owner |
| Translator sees all languages | No | Update contributor with explicit language scope array |
| SSO login loop | Mismatched ACS URL | Verify ACS URL matches |
| Cannot remove Owner | Last owner protection | Transfer ownership to another admin first |
| | Valid values: |
| Group members don't see project | Group not assigned to the project | Use the groups/projects/add endpoint to link them |
Examples
List All Contributors Across All Projects
set -euo pipefail # Quick CSV export of all contributors and their roles curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ "https://api.lokalise.com/api2/projects?limit=100" \ | jq -r '.projects[].project_id' \ | while read -r pid; do curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \ "https://api.lokalise.com/api2/projects/${pid}/contributors?limit=500" \ | jq -r --arg pid "$pid" '.contributors[] | [$pid, .email, (.is_admin|tostring), (.is_reviewer|tostring), (.languages|length|tostring)] | @csv' sleep 0.2 done | sort -t, -k2
Principle of Least Privilege Setup
For a typical project with 3 languages (en, fr, de):
// Product team: admin access for key management await lok.contributors().create(PROJECT_ID, [{ email: 'pm@company.com', fullname: 'PM', is_admin: true, is_reviewer: true, languages: [], }]); // French translator: only French, translate only await lok.contributors().create(PROJECT_ID, [{ email: 'fr@agency.com', fullname: 'FR Translator', is_admin: false, is_reviewer: false, languages: [{ lang_iso: 'fr', is_writable: true }], }]); // German reviewer: German write + French read-only for reference await lok.contributors().create(PROJECT_ID, [{ email: 'de@agency.com', fullname: 'DE Reviewer', is_admin: false, is_reviewer: true, languages: [ { lang_iso: 'de', is_writable: true }, { lang_iso: 'fr', is_writable: false }, ], }]);
Resources
- Lokalise Contributors API
- Team Users API
- Contributor Groups API
- SSO Configuration Guide
- Webhook Events Reference
Next Steps
- After setting up permissions, run
to verify access scoping works as expected.lokalise-debug-bundle - For migration scenarios requiring bulk contributor setup, see
.lokalise-migration-deep-dive - Monitor access patterns over time with the audit script from Step 6.