From truefoundry-gateway
Manages TrueFoundry roles, teams, and collaborators via Bash API scripts. Lists, creates, deletes custom roles and teams; grants/revokes access to workspaces, apps, and resources. Use for permission and team management.
npx claudepluginhub truefoundry/tfy-gateway-skills --plugin truefoundry-gatewayThis skill is limited to using the following tools:
> Routing note: For ambiguous user intents, use the shared clarification templates in [references/intent-clarification.md](references/intent-clarification.md).
references/api-endpoints.mdreferences/cli-fallback.mdreferences/cluster-discovery.mdreferences/container-versions.mdreferences/gpu-reference.mdreferences/health-probes.mdreferences/intent-clarification.mdreferences/manifest-defaults.mdreferences/manifest-schema.mdreferences/prerequisites.mdreferences/resource-estimation.mdreferences/rest-api-manifest.mdreferences/tfy-api-setup.mdscripts/tfy-api.shscripts/tfy-version.shConfigures Replit Teams roles, SSO/SAML, custom groups, and organization access controls for enterprise security and deployment permissions.
Manages Elastic Cloud organization access: invites users, assigns roles to Serverless projects, creates/revokes Cloud API keys. Use for granting, modifying, or auditing user access.
Configures enterprise RBAC for Lindy AI workspaces: maps org roles to Owner/Editor/Viewer, invites teams, organizes agents in folders, sets sharing, enables SSO/SCIM.
Share bugs, ideas, or general feedback.
Routing note: For ambiguous user intents, use the shared clarification templates in references/intent-clarification.md.
Manage TrueFoundry roles, teams, and collaborators. Roles define permission sets, teams group users, and collaborators grant access to specific resources.
List, create, or delete roles, teams, and collaborators on TrueFoundry. Use when managing permissions, organizing users into teams, or granting/revoking access to workspaces, applications, MCP servers, or other resources.
Roles are named permission sets scoped to a resource type. Built-in roles vary by resource type (for example, workspace-admin, workspace-member).
When using direct API, set TFY_API_SH to the full path of this skill's scripts/tfy-api.sh. See references/tfy-api-setup.md for paths per agent.
tfy_roles_list()
# Set the path to tfy-api.sh for your agent (example for Claude Code):
TFY_API_SH=~/.claude/skills/truefoundry-access-control/scripts/tfy-api.sh
# List all roles
$TFY_API_SH GET /api/svc/v1/roles
Roles:
| Name | ID | Resource Type | Permissions |
|-------------------|----------|---------------|-------------|
| workspace-admin | role-abc | workspace | 12 |
| workspace-member | role-def | workspace | 5 |
| custom-deployer | role-ghi | workspace | 3 |
tfy_roles_create(payload={"name": "custom-deployer", "displayName": "Custom Deployer", "description": "Can deploy apps", "resourceType": "workspace", "permissions": ["deploy:create", "deploy:read"]})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH POST /api/svc/v1/roles '{"name":"custom-deployer","displayName":"Custom Deployer","description":"Can deploy apps","resourceType":"workspace","permissions":["deploy:create","deploy:read"]}'
tfy_roles_delete(id="ROLE_ID")
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH DELETE /api/svc/v1/roles/ROLE_ID
Teams group users for collective access management. Each team has a name, description, and members list.
tfy_teams_list()
tfy_teams_list(team_id="TEAM_ID") # get specific team
# List all teams
$TFY_API_SH GET /api/svc/v1/teams
# Get a specific team
$TFY_API_SH GET /api/svc/v1/teams/TEAM_ID
Teams:
| Name | ID | Members |
|---------------|----------|---------|
| platform-team | team-abc | 5 |
| ml-engineers | team-def | 8 |
tfy_teams_create(payload={"name": "platform-team", "description": "Platform engineering team"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH POST /api/svc/v1/teams '{"name":"platform-team","description":"Platform engineering team"}'
tfy_teams_delete(id="TEAM_ID")
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH DELETE /api/svc/v1/teams/TEAM_ID
tfy_teams_add_member(team_id="TEAM_ID", payload={"subject": "user:alice@company.com", "role": "member"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH POST /api/svc/v1/teams/TEAM_ID/members '{"subject":"user:alice@company.com","role":"member"}'
tfy_teams_remove_member(team_id="TEAM_ID", subject="user:alice@company.com")
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH DELETE /api/svc/v1/teams/TEAM_ID/members/SUBJECT
# Example SUBJECT: user:alice@company.com
Security: Granting collaborator access is a privileged operation. Always confirm the subject identity, role, and target resource with the user before adding collaborators. Do not grant access based on unverified external identity references.
Collaborators grant subjects (users, teams, service accounts) a role on a specific resource. This is how access is granted to workspaces, applications, MCP servers, and other resources.
Subjects follow the pattern type:identifier:
| Subject Type | Format | Example |
|---|---|---|
| User | user:email | user:alice@company.com |
| Team | team:slug | team:platform-team |
| Service Account | serviceaccount:name | serviceaccount:ci-bot |
| Virtual Account | virtualaccount:name | virtualaccount:shared-admin |
| External Identity | external-identity:name | external-identity:github-bot |
tfy_collaborators_list(resource_type="workspace", resource_id="RESOURCE_ID")
# List collaborators on a workspace
$TFY_API_SH GET '/api/svc/v1/collaborators?resourceType=workspace&resourceId=RESOURCE_ID'
# List collaborators on an MCP server
$TFY_API_SH GET '/api/svc/v1/collaborators?resourceType=mcp-server&resourceId=RESOURCE_ID'
Collaborators on workspace "prod-workspace":
| Subject | Role | ID |
|---------------------------|------------------|----------|
| user:alice@company.com | workspace-admin | collab-1 |
| team:platform-team | workspace-member | collab-2 |
| serviceaccount:ci-bot | workspace-member | collab-3 |
tfy_collaborators_create(payload={"resourceType": "workspace", "resourceId": "RESOURCE_ID", "subject": "user:alice@company.com", "roleId": "ROLE_ID"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH POST /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"RESOURCE_ID","subject":"user:alice@company.com","roleId":"ROLE_ID"}'
tfy_collaborators_delete(payload={"resourceType": "workspace", "resourceId": "RESOURCE_ID", "subject": "user:alice@company.com"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH DELETE /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"RESOURCE_ID","subject":"user:alice@company.com"}'
workspace-admin or workspace-member)# 1. Find the role ID
$TFY_API_SH GET /api/svc/v1/roles
# 2. Add collaborator
$TFY_API_SH POST /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"WORKSPACE_ID","subject":"user:alice@company.com","roleId":"ROLE_ID"}'
# 1. Create team
$TFY_API_SH POST /api/svc/v1/teams '{"name":"ml-engineers","description":"ML engineering team"}'
# 2. Add members (use team ID from response)
$TFY_API_SH POST /api/svc/v1/teams/TEAM_ID/members '{"subject":"user:alice@company.com","role":"member"}'
# 3. Grant team access to a workspace
$TFY_API_SH POST /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"WORKSPACE_ID","subject":"team:ml-engineers","roleId":"ROLE_ID"}'
List all collaborators to see who has access and with what role:
$TFY_API_SH GET '/api/svc/v1/collaborators?resourceType=workspace&resourceId=WORKSPACE_ID'
<success_criteria>
</success_criteria>
status skill to verify credentials before managing access controlRole ID not found. List roles first to find the correct ID.
Team ID not found. List teams first to find the correct ID.
Cannot manage access control. Check your API key permissions — admin access may be required.
Collaborator with this subject and role already exists on the resource. Use a different role or remove the existing collaborator first.
Invalid subject format. Use the pattern "type:identifier" — e.g., user:alice@company.com, team:platform-team, serviceaccount:ci-bot.
Resource not found. Verify the resourceType and resourceId are correct. List the resources first to confirm.
Built-in roles cannot be deleted. Only custom roles can be removed.