From posthog-pack
Configures PostHog enterprise RBAC: org/project hierarchy, member roles, scoped API keys, SSO/SAML setup, and audit logging using REST API calls.
How this skill is triggered — by the user, by Claude, or both
Slash command
/posthog-pack:posthog-enterprise-rbacThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
PostHog access control uses a three-level hierarchy: Organization > Project > Resource. Organizations contain multiple projects (e.g., production, staging), and each project has its own data, feature flags, and dashboards. Members are assigned roles at the organization level and can be restricted to specific projects.
PostHog access control uses a three-level hierarchy: Organization > Project > Resource. Organizations contain multiple projects (e.g., production, staging), and each project has its own data, feature flags, and dashboards. Members are assigned roles at the organization level and can be restricted to specific projects.
| Level | Scope | Controls |
|---|---|---|
| Organization | All projects | Member management, billing, SSO enforcement |
| Project | Single project | Feature flags, insights, dashboards, session recordings |
| API Key | Scoped operations | Personal API key with specific scopes |
Member Roles:
| Role | Level | Permissions |
|---|---|---|
| Owner | 15 | Full admin, billing, delete org |
| Admin | 8 | Manage members, all project settings |
| Member | 1 | View/create insights, flags, recordings |
set -euo pipefail
# Create a production project with access control
curl -X POST "https://app.posthog.com/api/organizations/$ORG_ID/projects/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "Production", "access_control": true}'
# Add a member to a specific project (level 1 = Member, 8 = Admin)
curl -X POST "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{"user_id": "USER_UUID", "level": 1}'
# List current project members
curl "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '.results[] | {email: .user.email, level, joined_at}'
set -euo pipefail
# Read-only key for BI dashboard integration
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "bi-dashboard-readonly",
"scopes": ["insight:read", "dashboard:read", "query:read"]
}'
# Feature flag service key (read + write flags only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "flag-service",
"scopes": ["feature_flag:read", "feature_flag:write"]
}'
# Event export key (read events only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "data-export-readonly",
"scopes": ["event:read", "query:read"]
}'
# List all personal API keys
curl "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '.[] | {id, label, scopes, created_at}'
PostHog enterprise supports SAML 2.0 SSO. Configuration is in Organization Settings > Authentication:
set -euo pipefail
# Check SSO configuration status
curl "https://app.posthog.com/api/organizations/$ORG_ID/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '{
enforce_sso: .enforce_sso,
saml_configured: (.saml_enforcement != null),
member_count: .membership_count
}'
set -euo pipefail
# View recent activity log for permission changes
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=Organization" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '[.results[] | select(.activity | contains("member") or contains("role") or contains("api_key")) | {
user: .user.email,
activity,
detail: .detail,
created_at
}] | .[:10]'
# View feature flag changes (who changed what)
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=FeatureFlag" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '[.results[:10][] | {
user: .user.email,
activity,
item_id: .item_id,
created_at
}]'
# Recommended access matrix
access_matrix:
engineering:
staging_project:
role: admin # Full control in staging
can_create_flags: true
can_delete_flags: true
production_project:
role: member # Read + create, no delete in prod
can_create_flags: true
can_delete_flags: false # Require admin approval for flag deletion
product:
staging_project:
role: member
can_view_recordings: true
can_create_insights: true
production_project:
role: member
can_view_recordings: true
can_create_insights: true
bi_service_account:
production_project:
api_key_scopes: [insight:read, dashboard:read, query:read]
# No write access
flag_service_account:
production_project:
api_key_scopes: [feature_flag:read, feature_flag:write]
# Only flag operations
| Issue | Cause | Solution |
|---|---|---|
| 403 on feature flag endpoint | Key missing required scope | Create key with feature_flag:read scope |
| Member sees prod data | Project access not restricted | Remove from prod project, add to staging only |
| SSO bypass possible | SSO not enforced | Enable "Enforce SSO" in org settings |
| Can't create scoped key | Not org admin | Only admins can create API keys |
| Activity log gaps | Self-hosted log rotation | Increase log retention in PostHog config |
For migration strategies, see posthog-migration-deep-dive.
npx claudepluginhub luxdevnet/claude-plus-lux --plugin posthog-pack7plugins reuse this skill
First indexed Jul 10, 2026
Showing the 6 earliest of 7 plugins
Configures PostHog enterprise RBAC: org/project hierarchy, member roles, scoped API keys, SSO/SAML setup, and audit logging using REST API calls.
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".
Automates PostHog product analytics tasks including event capture, feature flag management, project queries, user profiles, and annotations via the Rube MCP interface.