Agent-Skills.md

Agent Skills: Granola Enterprise RBAC

|

UncategorizedID: jeremylongshore/claude-code-plugins-plus-skills/granola-enterprise-rbac

Repository

jeremylongshore/claude-code-plugins-plus-skills
jeremylongshoreLicense: NOASSERTION
1,723221

Install this agent skill to your local

pnpm dlx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/HEAD/plugins/saas-packs/granola-pack/skills/granola-enterprise-rbac

Skill Files

Browse the full folder contents for granola-enterprise-rbac.

Download Skill

Loading file tree…

plugins/saas-packs/granola-pack/skills/granola-enterprise-rbac/SKILL.md

Skill Metadata

Name
granola-enterprise-rbac
Description
|

Granola Enterprise RBAC

Overview

Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.

Prerequisites

  • Granola Enterprise plan ($35+/user/month)
  • Organization admin access
  • SSO configured (Okta, Azure AD, or Google Workspace)
  • SCIM provisioning enabled (recommended for automated role assignment)

Instructions

Step 1 — Understand the Role Hierarchy

Organization Owner (1-2 people)
  │   Full control: billing, SSO, org settings, all workspaces
  │
  ├── Workspace Admin (per department)
  │     Manage workspace: members, integrations, settings
  │     All member capabilities
  │
  ├── Team Lead
  │     View team analytics, manage folder structure
  │     All member capabilities
  │
  ├── Member (default role)
  │     Create notes, share internally, use integrations
  │
  ├── Viewer
  │     Read-only access to shared notes
  │     Cannot create or record meetings
  │
  └── Guest (external)
      Single workspace access, read-only
      Time-limited (30-day default expiration)

Step 2 — Permission Matrix

| Permission | Owner | WS Admin | Lead | Member | Viewer | Guest | |-----------|-------|----------|------|--------|--------|-------| | Record meetings | Yes | Yes | Yes | Yes | No | No | | Create notes | Yes | Yes | Yes | Yes | No | No | | Share internally | Yes | Yes | Yes | Yes | No | No | | Share externally | Yes | Yes | Policy | Policy | No | No | | View shared notes | Yes | Yes | Yes | Yes | Yes | Yes | | Manage integrations | Yes | Yes | No | No | No | No | | Manage members | Yes | Yes | No | No | No | No | | View analytics | Yes | Yes | Yes | No | No | No | | Configure retention | Yes | Yes | No | No | No | No | | Manage billing | Yes | No | No | No | No | No | | Configure SSO/SCIM | Yes | No | No | No | No | No |

Step 3 — Map SSO Groups to Roles

Configure in Organization Settings > Security > SSO > Group Mapping:

| SSO Group (IdP) | Granola Workspace | Granola Role | |-----------------|------------------|-------------| | engineering-all | Engineering | Member | | engineering-leads | Engineering | Admin | | sales-team | Sales | Member | | sales-managers | Sales | Admin | | product-team | Product | Member | | hr-team | HR | Member | | hr-directors | HR | Admin | | executives | Executive | Admin | | contractors-eng | Engineering | Guest |

Multi-workspace membership: A user can belong to multiple workspaces with different roles:

  • Sarah Chen: Engineering (Member) + Product (Admin) + Executive (Viewer)
  • Mike Johnson: Sales (Admin) + Engineering (Guest for cross-team visibility)

Step 4 — Configure Sharing Policies

Set per-workspace sharing rules to control data flow:

Standard workspaces (Engineering, Product, Sales):

Workspace Settings > Sharing:
  Internal sharing: Automatic within workspace members
  Cross-workspace: Allowed with admin approval
  External sharing: Allowed with link expiration (30 days)
  Public links: Disabled

Confidential workspaces (HR, Executive):

Workspace Settings > Sharing:
  Internal sharing: Manual only (no auto-share)
  Cross-workspace: Disabled
  External sharing: Disabled
  Public links: Disabled
  Note visibility: Creator + explicitly added viewers only

Step 5 — Implement Least Privilege

Follow the principle of least privilege for role assignments:

  1. Default new users to Member — sufficient for 90% of use cases
  2. Promote to Admin only for workspace managers — IT leads, department heads
  3. Use Viewer for stakeholders who need to read notes but not create them
  4. Time-limit Guest access — 30-day default, renew explicitly
  5. Review access quarterly:
## Quarterly Access Review Checklist

- [ ] Pull current user list: Settings > Team
- [ ] Verify each user's role matches current job function
- [ ] Deactivate users who have left the organization
- [ ] Downgrade over-privileged users (Admin → Member where appropriate)
- [ ] Remove expired Guest accounts
- [ ] Verify SSO group mappings match current org chart
- [ ] Review sharing policy compliance per workspace
- [ ] Check audit logs for unusual access patterns

Step 6 — Enable Audit Logging

Enterprise audit logging captures:

| Event | What's Logged | |-------|--------------| | User login | Who, when, from where (IP) | | Note created | Creator, meeting, workspace | | Note shared | Sharer, recipient, method (Slack/Notion/link) | | Note exported | Who exported, which note | | Role changed | Admin, user affected, old role → new role | | Integration connected/disconnected | Who, which integration | | Workspace settings changed | Admin, what changed |

Access audit logs: Organization Settings > Security > Audit Log

Export audit logs for SIEM integration (Enterprise):

  • Granola can export audit events to external systems
  • Contact Granola support for Splunk/Datadog/SIEM integration

Step 7 — Handle User Lifecycle

Onboarding:

  1. User added to SSO group → SCIM provisions account → JIT assigns workspace + role
  2. First login: SSO authenticates, Granola provisions based on group mapping
  3. User can immediately record meetings in assigned workspaces

Role change:

  1. Update SSO group membership in IdP
  2. SCIM sync updates Granola role (within sync interval, typically 1-15 min)
  3. Or manually: Workspace Settings > Members > change role

Offboarding:

  1. Disable user in IdP → SCIM deactivates Granola account
  2. User loses access immediately
  3. Their shared notes remain visible to workspace members
  4. Their private notes are inaccessible (retained per retention policy)
  5. Reassign ownership of shared folders if needed

Output

  • Role hierarchy defined and documented
  • SSO group mappings configured for automated provisioning
  • Per-workspace sharing policies enforced
  • Audit logging enabled with SIEM export (if applicable)
  • User lifecycle procedures (onboard/offboard) established
  • Quarterly access review cadence scheduled

Error Handling

| Error | Cause | Fix | |-------|-------|-----| | User can't access workspace | Wrong SSO group | Verify IdP group membership | | External sharing blocked unexpectedly | Workspace policy override | Review workspace sharing settings | | Guest access expired | 30-day time limit | Re-invite the guest or extend expiration | | SCIM sync delayed | IdP sync interval too long | Trigger manual sync in IdP, or adjust interval | | Orphaned accounts after termination | SCIM deprovisioning not configured | Enable deprovisioning in SCIM settings |

Resources

Next Steps

Proceed to granola-migration-deep-dive for migrating from other meeting note tools.