From simulator
Manages access-control rules for Simulator.Company objects — grant/revoke permissions, list access, bulk-share, and handle access-denied errors.
How this skill is triggered — by the user, by Claude, or both
Slash command
/simulator:simulator-accessThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Curated tool names (v2 server):** `getAccessRules`, `saveAccessRules`,
Curated tool names (v2 server):
getAccessRules,saveAccessRules,getTemplateActorsAccess,saveTemplateActorsAccess,getTreeLayerAccess,saveTreeLayerAccess,bulkSaveAccessRules,bulkSaveAccountPairsAccessRules,requestAccess. Call them by these exact names.
Access rules say who (a user, SA user, or group) can do what (view / modify / remove /
sign / ds / execute) to an object. Grants are applied asynchronously — save calls
return a taskId.
actor, form, account, formTemplate, templateActors, treeLayer.{action, data} where action ∈ create | update | delete.userId | saId | groupId, plus:
{view, modify, remove (required booleans), sign?, ds?, execute?}. view is
implied when any other privilege is set.{sign, ds, execute} positive integers ordering those reactions.
recursive/notifydefault to true; the tools send an explicitfalsewhen you set it, so an opt-out is honoured. "Grant but don't cascade to children" ⇒recursive=false.
Objects are addressed by their own id (objId), so most tools need no accId. Only
bulkSaveAccountPairsAccessRules takes an accId (defaults to the configured workspace).
userId / groupId)A rule's grantee is identified by a real userId (or saId / groupId) — resolve it first,
never guess:
searchUsers(accId, query) — find a workspace member by name/email (the quickest path).getUsers(accId) — list all members.getUser(accId, userId, type="group") — resolve a group id when sharing with a group.Share onto the
user, never their twin actor. Each user has a 1:1 digital-twin actor, but access is granted to theuserId— passuserIdin the rule'sdata, not the twin actor's id. The twin actor is for transactions / accounts / graph placement (getSystemActor), not for sharing. See$CLAUDE_PLUGIN_ROOT/docs/entities/users.md.
getAccessRules(objType="actor", objId="<actor UUID>") # actor | form | account | formTemplate | treeLayer
getTemplateActorsAccess(objId="<form-template id>") # the actors of a form template
getTreeLayerAccess(objId="<layer / root actor id>") # the actors on a tree layer
# Give user 4210 view + modify on an actor, but not delete:
saveAccessRules(objType="actor", objId="<actor UUID>", rules=[
{ "action": "create", "data": {
"userId": 4210,
"privs": { "view": true, "modify": true, "remove": false } } }
])
# Revoke a group's access to an account entirely:
saveAccessRules(objType="account", objId="<account id>", rules=[
{ "action": "delete", "data": { "groupId": 88 } }
])
# Apply to this object only (don't cascade) and stay quiet:
saveAccessRules(objType="actor", objId="<UUID>", recursive=false, notify=false, rules=[ … ])
saveTemplateActorsAccess(objId=<form-template id>, rules=[…]) and
saveTreeLayerAccess(objId=<layer id>, rules=[…]) take the same rules shape for the
template-actor and tree-layer scopes.
# Many objects at once (≤50), each with its own rules:
bulkSaveAccessRules(items=[
{ "objType": "form", "objId": "42", "rules": [ … ] },
{ "objType": "actor", "objId": "<UUID>", "rules": [ … ] }
])
# Share a whole account-name category across the workspace (every account named <prefix>_*):
bulkSaveAccountPairsAccessRules(accId="ws_xxx", items=[
{ "objId": "<account-name id prefix>", "rules": [ … ] }
])
Mid-task a tool may fail with 403 / Access Denied (or getActor etc. returns not-found)
because the current user has no view access to that object. Don't give up or guess —
ask the owner for access with requestAccess:
requestAccess(objType="actor", objId="<actor UUID>") # request view access
requestAccess(objType="actor", objId="<actor UUID>", modify=true) # request view + edit
requestAccess does not grant access — it raises a request to the object's owner(s)
(creates a REQUEST_ACCESS invite + a request-access event they can approve/decline). You then
have to wait for approval before the blocked operation will work.requestEventId.view). objType is usually actor; it also accepts form / account / template
/ treeLayer.saveAccessRules(... privs:{view:true}) on the object (or the owner acts on the
request-access event in the UI).When a read/write step is blocked by access, tell the user it's blocked, call
requestAccess, and report that approval is pending — rather than failing silently or inventing data.
taskId (applied async); the change may take a moment to fully propagate.userId / saId / groupId.privs.view/modify/remove are required; sign/ds/execute optional. Setting any privilege implies view.recursive=false ⇒ this object only; notify=false ⇒ no notifications (both honoured).requestAccess(objType, objId) — it asks the owner (doesn't grant); approval is needed before retrying. It's the one access tool callable without view.action:"delete" (grantee id only) to revoke; create/update to grant or change.npx claudepluginhub corezoid/simulator-ai-plugin --plugin simulatorManages actors (records) for Simulator.Company form templates: create, read, update, delete, search, filter, and query connected processes/API keys.
Manages access control for Corezoid objects: shares processes, folders, stages, projects; creates/deletes user groups and API keys; invites external users; audits access.
Configure enterprise role-based access control for Granola workspaces, including SSO group mapping, permission matrices, and sharing policies.