Configure PostHog enterprise SSO, role-based access control, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for PostHog. Trigger with phrases like "posthog SSO", "posthog RBAC", "posthog enterprise", "posthog roles", "posthog permissions", "posthog SAML".
From posthog-packnpx claudepluginhub nickloveinvesting/nick-love-plugins --plugin posthog-packThis skill is limited to using the following tools:
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Details PluginEval's skill quality evaluation: 3 layers (static, LLM judge), 10 dimensions, rubrics, formulas, anti-patterns, badges. Use to interpret scores, improve triggering, calibrate thresholds.
Control access to PostHog analytics data, feature flags, and experiments using its organization and project-level permission model. PostHog has three hierarchy levels: Organization > Project > Resource.
set -euo pipefail
# Create separate projects for prod and staging environments
curl -X POST https://app.posthog.com/api/organizations/ORG_ID/projects/ \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-d '{"name": "Production", "access_control": true}'
# Restrict team members to specific projects
curl -X POST https://app.posthog.com/api/projects/PROJECT_ID/members/ \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-d '{"user_id": "USER_ID", "level": 1}'
# Levels: 1=Member, 8=Admin
# Feature flag access matrix
feature_flags:
production_project:
who_can_create: [admin, senior_engineer]
who_can_edit: [admin, senior_engineer, engineer]
who_can_delete: [admin]
require_description: true
require_rollout_review: true # Two-person rule for >50% rollout
staging_project:
who_can_create: [admin, member]
who_can_edit: [admin, member]
who_can_delete: [admin, member]
In PostHog Organization Settings > Authentication:
set -euo pipefail
# Read-only key for the BI dashboard (no write access)
curl -X POST https://app.posthog.com/api/personal_api_keys/ \
-H "Authorization: Bearer $POSTHOG_ADMIN_KEY" \
-d '{"label": "bi-dashboard-readonly", "scopes": ["event:read", "insight:read", "dashboard:read"]}'
# Key for the feature flag service (flags only)
curl -X POST https://app.posthog.com/api/personal_api_keys/ \
-H "Authorization: Bearer $POSTHOG_ADMIN_KEY" \
-d '{"label": "feature-flag-service", "scopes": ["feature_flag:read", "feature_flag:write"]}'
set -euo pipefail
# Query the activity log for permission changes
curl "https://app.posthog.com/api/projects/PROJECT_ID/activity_log/?scope=Organization" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '.results[] | select(.activity | contains("member")) | {user: .user.email, activity, created_at}'
| Issue | Cause | Solution |
|---|---|---|
403 on feature flag endpoint | Key missing feature_flag scope | Create key with appropriate scopes |
| Member can see prod data | Project access not restricted | Remove from prod project, add to staging only |
| SSO bypass possible | SSO not enforced | Enable "Enforce SSO" in org settings |
| Activity log gaps | Self-hosted log rotation | Increase retention in posthog-config |
Basic usage: Apply posthog enterprise rbac to a standard project setup with default configuration options.
Advanced scenario: Customize posthog enterprise rbac for production environments with multiple constraints and team-specific requirements.