From granola-pack
Configures enterprise RBAC for Granola workspaces: role hierarchies, permission matrices, SSO group mappings, sharing policies, and least-privilege access for meeting data.
How this skill is triggered — by the user, by Claude, or both
Slash command
/granola-pack:granola-enterprise-rbacThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.
Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.
Organization Owner (1-2 people)
│ Full control: billing, SSO, org settings, all workspaces
│
├── Workspace Admin (per department)
│ Manage workspace: members, integrations, settings
│ All member capabilities
│
├── Team Lead
│ View team analytics, manage folder structure
│ All member capabilities
│
├── Member (default role)
│ Create notes, share internally, use integrations
│
├── Viewer
│ Read-only access to shared notes
│ Cannot create or record meetings
│
└── Guest (external)
Single workspace access, read-only
Time-limited (30-day default expiration)
| Permission | Owner | WS Admin | Lead | Member | Viewer | Guest |
|---|---|---|---|---|---|---|
| Record meetings | Yes | Yes | Yes | Yes | No | No |
| Create notes | Yes | Yes | Yes | Yes | No | No |
| Share internally | Yes | Yes | Yes | Yes | No | No |
| Share externally | Yes | Yes | Policy | Policy | No | No |
| View shared notes | Yes | Yes | Yes | Yes | Yes | Yes |
| Manage integrations | Yes | Yes | No | No | No | No |
| Manage members | Yes | Yes | No | No | No | No |
| View analytics | Yes | Yes | Yes | No | No | No |
| Configure retention | Yes | Yes | No | No | No | No |
| Manage billing | Yes | No | No | No | No | No |
| Configure SSO/SCIM | Yes | No | No | No | No | No |
Configure in Organization Settings > Security > SSO > Group Mapping:
| SSO Group (IdP) | Granola Workspace | Granola Role |
|---|---|---|
engineering-all | Engineering | Member |
engineering-leads | Engineering | Admin |
sales-team | Sales | Member |
sales-managers | Sales | Admin |
product-team | Product | Member |
hr-team | HR | Member |
hr-directors | HR | Admin |
executives | Executive | Admin |
contractors-eng | Engineering | Guest |
Multi-workspace membership: A user can belong to multiple workspaces with different roles:
Set per-workspace sharing rules to control data flow:
Standard workspaces (Engineering, Product, Sales):
Workspace Settings > Sharing:
Internal sharing: Automatic within workspace members
Cross-workspace: Allowed with admin approval
External sharing: Allowed with link expiration (30 days)
Public links: Disabled
Confidential workspaces (HR, Executive):
Workspace Settings > Sharing:
Internal sharing: Manual only (no auto-share)
Cross-workspace: Disabled
External sharing: Disabled
Public links: Disabled
Note visibility: Creator + explicitly added viewers only
Follow the principle of least privilege for role assignments:
## Quarterly Access Review Checklist
- [ ] Pull current user list: Settings > Team
- [ ] Verify each user's role matches current job function
- [ ] Deactivate users who have left the organization
- [ ] Downgrade over-privileged users (Admin → Member where appropriate)
- [ ] Remove expired Guest accounts
- [ ] Verify SSO group mappings match current org chart
- [ ] Review sharing policy compliance per workspace
- [ ] Check audit logs for unusual access patterns
Enterprise audit logging captures:
| Event | What's Logged |
|---|---|
| User login | Who, when, from where (IP) |
| Note created | Creator, meeting, workspace |
| Note shared | Sharer, recipient, method (Slack/Notion/link) |
| Note exported | Who exported, which note |
| Role changed | Admin, user affected, old role → new role |
| Integration connected/disconnected | Who, which integration |
| Workspace settings changed | Admin, what changed |
Access audit logs: Organization Settings > Security > Audit Log
Export audit logs for SIEM integration (Enterprise):
Onboarding:
Role change:
Offboarding:
| Error | Cause | Fix |
|---|---|---|
| User can't access workspace | Wrong SSO group | Verify IdP group membership |
| External sharing blocked unexpectedly | Workspace policy override | Review workspace sharing settings |
| Guest access expired | 30-day time limit | Re-invite the guest or extend expiration |
| SCIM sync delayed | IdP sync interval too long | Trigger manual sync in IdP, or adjust interval |
| Orphaned accounts after termination | SCIM deprovisioning not configured | Enable deprovisioning in SCIM settings |
Proceed to granola-migration-deep-dive for migrating from other meeting note tools.
npx claudepluginhub luxdevnet/claude-plus-lux --plugin granola-pack5plugins reuse this skill
First indexed Jul 10, 2026
Configure enterprise role-based access control for Granola workspaces, including SSO group mapping, permission matrices, and sharing policies.
Configure Fireflies.ai workspace roles, channels, privacy controls, and meeting sharing. Use when managing team access, setting up channels, or configuring transcript visibility and sharing rules. Trigger with phrases like "fireflies roles", "fireflies permissions", "fireflies channels", "fireflies privacy", "fireflies sharing", "fireflies RBAC".
Configures enterprise SSO, role-based access control, and organization management using Clerk. Useful for implementing custom roles, permissions, and multi-tenant access patterns.