Skill

posthog-enterprise-rbac

Configures PostHog enterprise RBAC: org/project hierarchy, member roles, scoped API keys, SSO/SAML setup, and audit logging using REST API calls.

Bash

REST API

security

authentication

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin posthog-pack

Tool Access

This skill is limited to using the following tools:

ReadWriteEdit

Preview

PostHog access control uses a three-level hierarchy: Organization > Project > Resource. Organizations contain multiple projects (e.g., production, staging), and each project has its own data, feature flags, and dashboards. Members are assigned roles at the organization level and can be restricted to specific projects.

SKILL.md

Similar Skills

posthog-security-basics

1.9k

Guides secure PostHog API key handling: project vs personal key separation, scoped keys, rotation via Vercel/GitHub Actions, and git leak prevention.

3 tools

posthog-pack

sentry-enterprise-rbac

1.9k

Configures Sentry enterprise RBAC, organization hierarchy, team permissions, SSO/SAML2, SCIM provisioning, API tokens, and audit logging for compliance.

5 files7 tools

sentry-pack

posthog-automation

2.7k

Automates PostHog analytics tasks: capture/list events, manage feature flags/projects/profiles/annotations via Rube MCP and Composio toolkit.

all-skills

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitMar 22, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

PostHog Enterprise RBAC

Overview

Prerequisites

PostHog Cloud or self-hosted with enterprise license
Organization admin role
Multiple projects configured (one per environment)

Access Control Model

Level	Scope	Controls
Organization	All projects	Member management, billing, SSO enforcement
Project	Single project	Feature flags, insights, dashboards, session recordings
API Key	Scoped operations	Personal API key with specific scopes

Member Roles:

Role	Level	Permissions
Owner	15	Full admin, billing, delete org
Admin	8	Manage members, all project settings
Member	1	View/create insights, flags, recordings

Instructions

Step 1: Set Up Project-Level Access

set -euo pipefail
# Create a production project with access control
curl -X POST "https://app.posthog.com/api/organizations/$ORG_ID/projects/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production", "access_control": true}'

# Add a member to a specific project (level 1 = Member, 8 = Admin)
curl -X POST "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "USER_UUID", "level": 1}'

# List current project members
curl "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '.results[] | {email: .user.email, level, joined_at}'

Step 2: Create Scoped API Keys

set -euo pipefail
# Read-only key for BI dashboard integration
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "bi-dashboard-readonly",
    "scopes": ["insight:read", "dashboard:read", "query:read"]
  }'

# Feature flag service key (read + write flags only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "flag-service",
    "scopes": ["feature_flag:read", "feature_flag:write"]
  }'

# Event export key (read events only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "data-export-readonly",
    "scopes": ["event:read", "query:read"]
  }'

# List all personal API keys
curl "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '.[] | {id, label, scopes, created_at}'

Step 3: Configure SSO (Enterprise)

PostHog enterprise supports SAML 2.0 SSO. Configuration is in Organization Settings > Authentication:

Enable SAML: Add your IdP metadata URL (e.g., Okta, Azure AD, Google Workspace)
Enforce SSO: Toggle "Enforce SSO" to require all members to authenticate via IdP
Auto-provisioning: New IdP users are automatically created in PostHog with Member role
Group mapping: Map IdP groups to PostHog organization roles

set -euo pipefail
# Check SSO configuration status
curl "https://app.posthog.com/api/organizations/$ORG_ID/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '{
    enforce_sso: .enforce_sso,
    saml_configured: (.saml_enforcement != null),
    member_count: .membership_count
  }'

Step 4: Audit Access and Changes

set -euo pipefail
# View recent activity log for permission changes
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=Organization" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '[.results[] | select(.activity | contains("member") or contains("role") or contains("api_key")) | {
    user: .user.email,
    activity,
    detail: .detail,
    created_at
  }] | .[:10]'

# View feature flag changes (who changed what)
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=FeatureFlag" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '[.results[:10][] | {
    user: .user.email,
    activity,
    item_id: .item_id,
    created_at
  }]'

Step 5: Access Matrix

# Recommended access matrix
access_matrix:
  engineering:
    staging_project:
      role: admin           # Full control in staging
      can_create_flags: true
      can_delete_flags: true
    production_project:
      role: member           # Read + create, no delete in prod
      can_create_flags: true
      can_delete_flags: false  # Require admin approval for flag deletion

  product:
    staging_project:
      role: member
      can_view_recordings: true
      can_create_insights: true
    production_project:
      role: member
      can_view_recordings: true
      can_create_insights: true

  bi_service_account:
    production_project:
      api_key_scopes: [insight:read, dashboard:read, query:read]
      # No write access

  flag_service_account:
    production_project:
      api_key_scopes: [feature_flag:read, feature_flag:write]
      # Only flag operations

Error Handling

Issue	Cause	Solution
403 on feature flag endpoint	Key missing required scope	Create key with `feature_flag:read` scope
Member sees prod data	Project access not restricted	Remove from prod project, add to staging only
SSO bypass possible	SSO not enforced	Enable "Enforce SSO" in org settings
Can't create scoped key	Not org admin	Only admins can create API keys
Activity log gaps	Self-hosted log rotation	Increase log retention in PostHog config

Output

Project-level member access configured
Scoped API keys for services (BI, flag service, export)
SSO/SAML enforcement enabled
Activity audit log queries
Access matrix documented

Resources

Next Steps

For migration strategies, see posthog-migration-deep-dive.