Agent-Skills.md

Agent Skills: Clay Enterprise RBAC

|

UncategorizedID: jeremylongshore/claude-code-plugins-plus-skills/clay-enterprise-rbac

Repository

jeremylongshore/claude-code-plugins-plus-skills
jeremylongshoreLicense: NOASSERTION
1,723221

Install this agent skill to your local

pnpm dlx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/HEAD/plugins/saas-packs/clay-pack/skills/clay-enterprise-rbac

Skill Files

Browse the full folder contents for clay-enterprise-rbac.

Download Skill

Loading file tree…

plugins/saas-packs/clay-pack/skills/clay-enterprise-rbac/SKILL.md

Skill Metadata

Name
clay-enterprise-rbac
Description
|

Clay Enterprise RBAC

Overview

Control access to Clay tables, enrichment credits, and integrations at the team level. Clay uses a workspace model where team members are assigned Admin, Member, or Viewer roles. This skill covers role assignment, credit budget allocation, API key isolation, and audit procedures.

Prerequisites

  • Clay Team or Enterprise plan
  • Workspace admin privileges
  • Understanding of team structure and data access needs

Instructions

Step 1: Define Role Matrix

Clay has three built-in roles with fixed permissions:

| Capability | Admin | Member | Viewer | |------------|-------|--------|--------| | Manage workspace members | Yes | No | No | | Manage billing and credits | Yes | No | No | | Create/delete tables | Yes | Yes | No | | Run enrichments | Yes | Yes | No | | Configure integrations | Yes | No | No | | Export data | Yes | Yes | Yes | | View all tables | Yes | Yes | Yes |

Recommended role assignments:

roles:
  admin:
    assign_to:
      - Revenue Operations Lead
      - GTM Engineering Lead
    why: "Controls billing, integrations, and team access"

  member:
    assign_to:
      - SDRs building prospect lists
      - Growth engineers building pipelines
      - Marketing ops running enrichment campaigns
    why: "Can create tables and run enrichments but can't change billing or integrations"

  viewer:
    assign_to:
      - Sales managers reviewing lead quality
      - Executives checking pipeline metrics
      - Finance reviewing credit usage
    why: "Read-only access to enriched data and exports"

Step 2: Invite and Manage Team Members

In Clay UI: Settings > Members > Invite

Best practices:

  • Use company email addresses (not personal)
  • Start new members as Viewers until they complete Clay training
  • Audit member list quarterly -- remove departed employees immediately

Step 3: Isolate API Keys by Integration

Create separate API keys for each downstream system to enable independent revocation:

api_keys:
  crm-sync-prod:
    purpose: "HubSpot CRM sync from Clay"
    used_by: "HTTP API column in Outbound Leads table"
    rotation: quarterly

  outbound-instantly:
    purpose: "Push qualified leads to Instantly.ai"
    used_by: "HTTP API column for outreach"
    rotation: quarterly

  internal-dashboard:
    purpose: "Pull enrichment metrics for internal dashboard"
    used_by: "Cron job reading Clay table stats"
    rotation: quarterly

  ci-testing:
    purpose: "Integration tests in CI pipeline"
    used_by: "GitHub Actions workflow"
    rotation: on-demand

Step 4: Set Credit Budget Controls

Since Clay doesn't have per-user credit budgets natively, implement controls at the table level:

// src/clay/budget-controls.ts
interface TableBudget {
  tableId: string;
  tableName: string;
  maxRows: number;           // Prevent over-enrichment
  autoEnrich: boolean;       // Control automatic processing
  owner: string;             // Team member responsible
  monthlyCreditsEstimate: number;
}

const TABLE_BUDGETS: TableBudget[] = [
  {
    tableId: 'outbound-leads',
    tableName: 'Outbound Leads',
    maxRows: 5000,
    autoEnrich: true,
    owner: 'sdr-team@company.com',
    monthlyCreditsEstimate: 3000,
  },
  {
    tableId: 'event-attendees',
    tableName: 'Event Attendees',
    maxRows: 1000,
    autoEnrich: false,  // Manual trigger only
    owner: 'marketing@company.com',
    monthlyCreditsEstimate: 600,
  },
  {
    tableId: 'inbound-leads',
    tableName: 'Inbound Leads',
    maxRows: 2000,
    autoEnrich: true,
    owner: 'growth-eng@company.com',
    monthlyCreditsEstimate: 1200,
  },
];

function auditBudgets(budgets: TableBudget[]): void {
  const totalEstimate = budgets.reduce((sum, b) => sum + b.monthlyCreditsEstimate, 0);
  console.log(`=== Clay Credit Budget Audit ===`);
  for (const b of budgets) {
    console.log(`  ${b.tableName}: ${b.maxRows} rows, ~${b.monthlyCreditsEstimate} credits/mo (owner: ${b.owner})`);
  }
  console.log(`  Total monthly estimate: ${totalEstimate} credits`);
}

Step 5: Quarterly Access Audit

## Clay Workspace Access Audit Checklist

- [ ] Review all workspace members — remove former employees
- [ ] Verify role assignments match current job functions
- [ ] Check API key usage — revoke unused keys
- [ ] Review table access — archive unused tables
- [ ] Audit credit usage by table — identify waste
- [ ] Verify provider API key connections are current
- [ ] Update API key rotation log
- [ ] Review and update table row limits
- [ ] Check webhook submission counts (approaching 50K?)
- [ ] Document any new tables or integrations added

Error Handling

| Issue | Cause | Solution | |-------|-------|----------| | 403 on table creation | User is Viewer role | Upgrade to Member role | | Credits exhausted mid-campaign | No budget cap on table | Set max_rows on table | | Integration key rejected | Key was revoked | Generate new key, update integration config | | Unauthorized data export | Viewer exported sensitive data | Review export audit log | | Former employee still has access | No offboarding process | Immediate removal on departure |

Resources

Next Steps

For migration strategies, see clay-migration-deep-dive.