From vercel-pack
Configures Vercel Enterprise RBAC with team roles, project access groups, SAML SSO, and audit logging for managing permissions.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin vercel-packThis skill is limited to using the following tools:
Configure Vercel's role-based access control (RBAC) with team roles, project-level access groups, SSO/SAML integration, and audit logging. Covers the two access control planes: team-level (who can deploy) and application-level (who can access deployed content).
Configures Replit Teams roles, SSO/SAML, custom groups, and organization access controls for enterprise security and deployment permissions.
Configures Sentry enterprise RBAC, organization hierarchy, team permissions, SSO/SAML2, SCIM provisioning, API tokens, and audit logging for compliance.
Automates Vercel tasks including deployments, domains, DNS, env vars, projects, and teams via Rube MCP and Composio toolkit. Use to monitor, create, and manage resources.
Share bugs, ideas, or general feedback.
Configure Vercel's role-based access control (RBAC) with team roles, project-level access groups, SSO/SAML integration, and audit logging. Covers the two access control planes: team-level (who can deploy) and application-level (who can access deployed content).
Team-Level Roles:
| Role | Deploy Prod | Manage Projects | Manage Billing | Manage Members |
|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Yes |
| Member | Yes | Yes | No | No |
| Developer | Preview only | Limited | No | No |
| Viewer | No | Read-only | No | No |
| Security (Enterprise) | No | Security settings | No | No |
Extended Permissions (Enterprise): Layer on top of base roles for granular control:
# Invite a team member
curl -X POST "https://api.vercel.com/v1/teams/team_xxx/members" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "developer@company.com",
"role": "DEVELOPER"
}'
# List team members
curl -s -H "Authorization: Bearer $VERCEL_TOKEN" \
"https://api.vercel.com/v2/teams/team_xxx/members" \
| jq '.members[] | {name: .name, email: .email, role: .role}'
# Update a member's role
curl -X PATCH "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{"role": "MEMBER"}'
# Remove a team member
curl -X DELETE "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN"
Access Groups assign teams of people to specific projects with specific roles:
Example Access Group Setup:
├── Frontend Team → [project-web, project-docs] → Member role
├── Backend Team → [project-api, project-worker] → Member role
├── DevOps Team → [all projects] → Member role
└── QA Team → [all projects] → Viewer role
In the Vercel dashboard: Team Settings > Authentication > SAML Single Sign-On
https://vercel.com/api/auth/saml/acshttps://vercel.comemailAddressSAML Attribute Mapping:
├── email → user email (required)
├── firstName → display name
├── lastName → display name
└── groups → Vercel team roles (optional)
Enforce SSO for all team members: Once enabled, toggle "Require SAML for login" — all members must authenticate through SSO.
// middleware.ts — enforce auth on deployed application routes
import { NextRequest, NextResponse } from 'next/server';
import { verifyJWT } from '@/lib/auth';
const ROLE_ROUTES: Record<string, string[]> = {
'/admin': ['admin'],
'/dashboard': ['admin', 'member'],
'/api/admin': ['admin'],
};
export async function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
// Check if route requires auth
const requiredRoles = Object.entries(ROLE_ROUTES)
.find(([prefix]) => pathname.startsWith(prefix));
if (!requiredRoles) return NextResponse.next();
const token = request.cookies.get('session')?.value;
if (!token) {
return pathname.startsWith('/api')
? NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
: NextResponse.redirect(new URL('/login', request.url));
}
const payload = await verifyJWT(token);
if (!payload || !requiredRoles[1].includes(payload.role)) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}
// Pass user info to API routes via headers
const response = NextResponse.next();
response.headers.set('x-user-id', payload.sub);
response.headers.set('x-user-role', payload.role);
return response;
}
export const config = {
matcher: ['/admin/:path*', '/dashboard/:path*', '/api/admin/:path*'],
};
Vercel Enterprise includes audit logs in Team Settings > Audit Log.
Events tracked:
# Export audit logs via API (Enterprise)
curl -s -H "Authorization: Bearer $VERCEL_TOKEN" \
"https://api.vercel.com/v1/teams/team_xxx/audit-log?limit=100" \
| jq '.events[] | {action: .action, user: .user.email, createdAt: .createdAt, resource: .resource}'
| Check | Status |
|---|---|
| Team roles assigned per least privilege | Required |
| Production deploy restricted to Member+ | Required |
| Access Groups configured per project | Recommended |
| SSO/SAML enforced for all members | Enterprise |
| Audit logging exported to SIEM | Enterprise |
| Application-level auth in middleware | Required |
| Off-boarding removes Vercel access via IdP | Required |
| Error | Cause | Solution |
|---|---|---|
| Member can't deploy to prod | Developer role (preview only) | Change to Member or Owner role |
| SSO login fails | IdP metadata URL expired | Update SAML configuration |
| Access Group not applied | Member not in group | Add member to the Access Group |
| Audit log missing events | Free/Pro plan limitation | Upgrade to Enterprise for audit logs |
| Off-boarded user still has access | SSO not enforced | Enable "Require SAML for login" |
For migration strategies, see vercel-migration-deep-dive.