Grammarly Enterprise RBAC
Overview
Grammarly enterprise deployments manage writing quality across teams with different access levels. Organization admins control style guides, tone profiles, and brand rules. Team admins assign seats and configure suggestion types (clarity, engagement, delivery). Members write with team defaults while guests get read-only access to shared documents. HIPAA and SOC 2 compliance in regulated industries require audit trails on who accessed which writing suggestions and AI detection results.
Role Hierarchy
| Role | Permissions | Scope | |------|------------|-------| | Org Admin | Manage billing, SSO config, all style guides, API credentials | Organization-wide | | Team Admin | Assign seats, configure suggestion settings, manage style guides | Own team | | Member | Write with team settings, access scoring and AI detection APIs | Own team | | Guest | View shared documents, read-only style guide access | Invited documents only | | API Service | OAuth-scoped access to scoring, AI detection, plagiarism APIs | Per-credential scope |
Permission Check
async function checkGrammarlyAccess(userId: string, team: string, scope: string): Promise<boolean> {
const response = await fetch(`${GRAMMARLY_API}/organizations/${ORG_ID}/permissions`, {
headers: { Authorization: `Bearer ${GRAMMARLY_OAUTH_TOKEN}`, 'Content-Type': 'application/json' },
});
const perms = await response.json();
const userPerms = perms.members.find((m: any) => m.id === userId);
if (!userPerms) return false;
return userPerms.team === team && userPerms.scopes.includes(scope);
}
Role Assignment
async function assignTeamRole(email: string, team: string, role: 'admin' | 'member' | 'guest'): Promise<void> {
await fetch(`${GRAMMARLY_API}/organizations/${ORG_ID}/teams/${team}/members`, {
method: 'POST',
headers: { Authorization: `Bearer ${GRAMMARLY_OAUTH_TOKEN}`, 'Content-Type': 'application/json' },
body: JSON.stringify({ email, role }),
});
}
async function revokeTeamAccess(email: string, team: string): Promise<void> {
await fetch(`${GRAMMARLY_API}/organizations/${ORG_ID}/teams/${team}/members/${email}`, {
method: 'DELETE',
headers: { Authorization: `Bearer ${GRAMMARLY_OAUTH_TOKEN}` },
});
}
Audit Logging
interface GrammarlyAuditEntry {
timestamp: string; userId: string; team: string;
action: 'score_check' | 'ai_detection' | 'plagiarism_scan' | 'style_guide_edit' | 'seat_change';
scope: string; documentId?: string; result: 'allowed' | 'denied';
}
function logAccess(entry: GrammarlyAuditEntry): void {
console.log(JSON.stringify({ ...entry, orgId: process.env.GRAMMARLY_ORG_ID }));
}
RBAC Checklist
- [ ] Separate OAuth credentials per team, never share org-level keys
- [ ] OAuth scopes limited to required APIs per team (score, AI, plagiarism)
- [ ] Style guide editing restricted to team admins and above
- [ ] Guest role enforced for external collaborators
- [ ] API token rotation enforced quarterly
- [ ] SSO/SAML configured for all user authentication
- [ ] Seat usage audited monthly to reclaim inactive licenses
Error Handling
| Issue | Cause | Fix |
|-------|-------|-----|
| 401 Unauthorized on API call | Expired OAuth token | Refresh token or regenerate credentials |
| User cannot access AI detection | Team lacks ai-detection:read scope | Add scope to team's OAuth client |
| Style guide edits not saving | User has member role, not admin | Promote to team admin or request admin to edit |
| Guest sees full suggestion set | Role not properly scoped on invite | Re-invite with explicit guest role |
| Seat limit reached | All team licenses assigned | Remove inactive members or purchase additional seats |
Resources
Next Steps
See grammarly-security-basics.