Skill

granola-enterprise-rbac

Configures enterprise RBAC for Granola workspaces: role hierarchies, permission matrices, SSO group mappings, sharing policies, and least-privilege access for meeting data.

security

authentication

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin granola-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteEdit

Preview

Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.

Supporting Assets

references/implementation.md

SKILL.md

Similar Skills

granola-multi-env-setup

1.9k

Sets up Granola for multi-workspace enterprise deployments with SSO/SCIM provisioning. Guides planning department workspaces, creation, IdP config, and group-to-role mapping.

1 file3 tools

granola-pack

fireflies-enterprise-rbac

1.9k

Manages Fireflies.ai workspace roles, channels, privacy controls, and transcript sharing via GraphQL API for team access and visibility.

4 tools

fireflies-pack

lindy-enterprise-rbac

1.9k

Configures enterprise RBAC for Lindy AI workspaces: maps org roles to Owner/Editor/Viewer, invites teams, organizes agents in folders, sets sharing, enables SSO/SCIM.

2 files3 tools

lindy-pack

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitApr 3, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Granola Enterprise RBAC

Overview

Prerequisites

Granola Enterprise plan ($35+/user/month)
Organization admin access
SSO configured (Okta, Azure AD, or Google Workspace)
SCIM provisioning enabled (recommended for automated role assignment)

Instructions

Step 1 — Understand the Role Hierarchy

Organization Owner (1-2 people)
  │   Full control: billing, SSO, org settings, all workspaces
  │
  ├── Workspace Admin (per department)
  │     Manage workspace: members, integrations, settings
  │     All member capabilities
  │
  ├── Team Lead
  │     View team analytics, manage folder structure
  │     All member capabilities
  │
  ├── Member (default role)
  │     Create notes, share internally, use integrations
  │
  ├── Viewer
  │     Read-only access to shared notes
  │     Cannot create or record meetings
  │
  └── Guest (external)
      Single workspace access, read-only
      Time-limited (30-day default expiration)

Step 2 — Permission Matrix

Permission	Owner	WS Admin	Lead	Member	Viewer	Guest
Record meetings	Yes	Yes	Yes	Yes	No	No
Create notes	Yes	Yes	Yes	Yes	No	No
Share internally	Yes	Yes	Yes	Yes	No	No
Share externally	Yes	Yes	Policy	Policy	No	No
View shared notes	Yes	Yes	Yes	Yes	Yes	Yes
Manage integrations	Yes	Yes	No	No	No	No
Manage members	Yes	Yes	No	No	No	No
View analytics	Yes	Yes	Yes	No	No	No
Configure retention	Yes	Yes	No	No	No	No
Manage billing	Yes	No	No	No	No	No
Configure SSO/SCIM	Yes	No	No	No	No	No

Step 3 — Map SSO Groups to Roles

Configure in Organization Settings > Security > SSO > Group Mapping:

SSO Group (IdP)	Granola Workspace	Granola Role
`engineering-all`	Engineering	Member
`engineering-leads`	Engineering	Admin
`sales-team`	Sales	Member
`sales-managers`	Sales	Admin
`product-team`	Product	Member
`hr-team`	HR	Member
`hr-directors`	HR	Admin
`executives`	Executive	Admin
`contractors-eng`	Engineering	Guest

Multi-workspace membership: A user can belong to multiple workspaces with different roles:

Sarah Chen: Engineering (Member) + Product (Admin) + Executive (Viewer)
Mike Johnson: Sales (Admin) + Engineering (Guest for cross-team visibility)

Step 4 — Configure Sharing Policies

Set per-workspace sharing rules to control data flow:

Standard workspaces (Engineering, Product, Sales):

Workspace Settings > Sharing:
  Internal sharing: Automatic within workspace members
  Cross-workspace: Allowed with admin approval
  External sharing: Allowed with link expiration (30 days)
  Public links: Disabled

Confidential workspaces (HR, Executive):

Workspace Settings > Sharing:
  Internal sharing: Manual only (no auto-share)
  Cross-workspace: Disabled
  External sharing: Disabled
  Public links: Disabled
  Note visibility: Creator + explicitly added viewers only

Step 5 — Implement Least Privilege

Follow the principle of least privilege for role assignments:

Default new users to Member — sufficient for 90% of use cases
Promote to Admin only for workspace managers — IT leads, department heads
Use Viewer for stakeholders who need to read notes but not create them
Time-limit Guest access — 30-day default, renew explicitly
Review access quarterly:

## Quarterly Access Review Checklist

- [ ] Pull current user list: Settings > Team
- [ ] Verify each user's role matches current job function
- [ ] Deactivate users who have left the organization
- [ ] Downgrade over-privileged users (Admin → Member where appropriate)
- [ ] Remove expired Guest accounts
- [ ] Verify SSO group mappings match current org chart
- [ ] Review sharing policy compliance per workspace
- [ ] Check audit logs for unusual access patterns

Step 6 — Enable Audit Logging

Enterprise audit logging captures:

Event	What's Logged
User login	Who, when, from where (IP)
Note created	Creator, meeting, workspace
Note shared	Sharer, recipient, method (Slack/Notion/link)
Note exported	Who exported, which note
Role changed	Admin, user affected, old role → new role
Integration connected/disconnected	Who, which integration
Workspace settings changed	Admin, what changed

Access audit logs: Organization Settings > Security > Audit Log

Export audit logs for SIEM integration (Enterprise):

Granola can export audit events to external systems
Contact Granola support for Splunk/Datadog/SIEM integration

Step 7 — Handle User Lifecycle

Onboarding:

User added to SSO group → SCIM provisions account → JIT assigns workspace + role
First login: SSO authenticates, Granola provisions based on group mapping
User can immediately record meetings in assigned workspaces

Role change:

Update SSO group membership in IdP
SCIM sync updates Granola role (within sync interval, typically 1-15 min)
Or manually: Workspace Settings > Members > change role

Offboarding:

Disable user in IdP → SCIM deactivates Granola account
User loses access immediately
Their shared notes remain visible to workspace members
Their private notes are inaccessible (retained per retention policy)
Reassign ownership of shared folders if needed

Output

Role hierarchy defined and documented
SSO group mappings configured for automated provisioning
Per-workspace sharing policies enforced
Audit logging enabled with SIEM export (if applicable)
User lifecycle procedures (onboard/offboard) established
Quarterly access review cadence scheduled

Error Handling

Error	Cause	Fix
User can't access workspace	Wrong SSO group	Verify IdP group membership
External sharing blocked unexpectedly	Workspace policy override	Review workspace sharing settings
Guest access expired	30-day time limit	Re-invite the guest or extend expiration
SCIM sync delayed	IdP sync interval too long	Trigger manual sync in IdP, or adjust interval
Orphaned accounts after termination	SCIM deprovisioning not configured	Enable deprovisioning in SCIM settings

Resources

Next Steps

Proceed to granola-migration-deep-dive for migrating from other meeting note tools.