Agent Skills: Lokalise Enterprise RBAC

Lokalise Enterprise RBAC

Overview

Manage fine-grained access to Lokalise translation projects using its built-in role hierarchy, language-level scoping, contributor groups, and organization-level SSO enforcement. Lokalise has four core roles — owner, admin, manager-level (via admin_rights), and contributor (translator/reviewer) — each configurable per project and per language.

Prerequisites

• Lokalise Team or Enterprise plan (contributor groups and SSO require Team+)
• Owner or Admin role in the Lokalise organization
• LOKALISE_API_TOKEN environment variable set (admin-level token)
• @lokalise/node-api SDK or curl + jq for REST API access

Instructions

Step 1: Understand the Role Hierarchy

Lokalise uses a flat role model per project, controlled by three boolean flags on each contributor:

| Role | is_admin | is_reviewer | Can translate | Can review | Can manage keys | Can manage contributors | |------|-----------|--------------|--------------|-----------|----------------|----------------------| | Admin | true | true | Yes | Yes | Yes | Yes | | Manager | false | true | Yes | Yes | Limited (via admin_rights) | No | | Reviewer | false | true | Yes | Yes | No | No | | Translator | false | false | Yes | No | No | No |

At the team level, users are either admin or member. Team admins can create projects and manage billing. Team members can only access projects they are explicitly added to.

Step 2: Add Contributors with Language Scoping

import { LokaliseApi } from '@lokalise/node-api';
const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! });

// Add a translator restricted to French and Spanish only
await lok.contributors().create(PROJECT_ID, [{
  email: 'translator@agency.com',
  fullname: 'Marie Dupont',
  is_admin: false,
  is_reviewer: false,
  languages: [
    { lang_iso: 'fr', is_writable: true },
    { lang_iso: 'es', is_writable: true },
  ],
}]);

// Add a reviewer who can review all languages but only translate German
await lok.contributors().create(PROJECT_ID, [{
  email: 'reviewer@company.com',
  fullname: 'Hans Mueller',
  is_admin: false,
  is_reviewer: true,
  languages: [
    { lang_iso: 'de', is_writable: true },
    { lang_iso: 'fr', is_writable: false },  // Can review but not edit
    { lang_iso: 'es', is_writable: false },
  ],
}]);

Step 3: Manage Team-Level Users and Roles

set -euo pipefail
TEAM_ID="YOUR_TEAM_ID"

# List all team members with their roles
curl -s -X GET "https://api.lokalise.com/api2/teams/${TEAM_ID}/users" \
  -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  | jq '.team_users[] | {user_id: .user_id, email: .email, role: .role}'

# Demote a user from admin to member
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/users/USER_ID" \
  -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"role": "member"}'

Step 4: Create Contributor Groups for Bulk Management

Groups let you assign the same permissions to multiple people at once. When you add a user to a group, they inherit the group's language scope and role across all projects the group is assigned to.

set -euo pipefail
TEAM_ID="YOUR_TEAM_ID"

# Create a group for APAC translators
curl -s -X POST "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \
  -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "APAC Translators",
    "is_reviewer": false,
    "is_admin": false,
    "admin_rights": [],
    "languages": [
      {"lang_iso": "ja", "is_writable": true},
      {"lang_iso": "ko", "is_writable": true},
      {"lang_iso": "zh_CN", "is_writable": true}
    ]
  }'

# Add a member to the group
GROUP_ID=$(curl -s "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \
  -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  | jq -r '.groups[] | select(.name == "APAC Translators") | .group_id')

curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/members/add" \
  -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"users": [12345, 67890]}'

# Assign the group to specific projects
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/projects/add" \
  -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"projects": ["PROJECT_ID_1", "PROJECT_ID_2"]}'

Step 5: Configure SSO (Enterprise Plan Only)

SSO is configured in the Lokalise dashboard, not via API. Map your IdP groups to Lokalise roles:

1. Navigate to Organization Settings > Single Sign-On
2. Select SAML 2.0 and enter your IdP metadata URL
3. Map IdP groups to Lokalise roles:
   • Engineering-Localization -> Admin
   • Translators-EMEA -> Contributor group "EMEA Translators"
   • Product-Managers -> Reviewer
4. Enable Enforce SSO to block password-based login for all org members
5. Set Default Role for new SSO users (recommend: member with no project access)

ACS URL format: https://app.lokalise.com/sso/saml/YOUR_TEAM_ID/callback

Step 6: Audit Permissions Regularly

import { LokaliseApi } from '@lokalise/node-api';
const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! });

async function auditPermissions() {
  const projects = await lok.projects().list({ limit: 100 });
  const report: Array<{project: string; issue: string; detail: string}> = [];

  for (const proj of projects.items) {
    const contributors = await lok.contributors().list({
      project_id: proj.project_id,
      limit: 500,
    });

    // Flag: too many admins
    const admins = contributors.items.filter(c => c.is_admin);
    if (admins.length > 3) {
      report.push({
        project: proj.name,
        issue: 'Excessive admins',
        detail: `${admins.length} admins: ${admins.map(a => a.email).join(', ')}`,
      });
    }

    // Flag: contributors with no language scope (can see all languages)
    const unscopedTranslators = contributors.items.filter(
      c => !c.is_admin && (!c.languages || c.languages.length === 0)
    );
    if (unscopedTranslators.length > 0) {
      report.push({
        project: proj.name,
        issue: 'Unscoped contributors',
        detail: `${unscopedTranslators.length} users can access all languages`,
      });
    }

    // Respect rate limit
    await new Promise(r => setTimeout(r, 200));
  }

  console.table(report);
  return report;
}

await auditPermissions();

Step 7: Set Up Webhook for Access Change Notifications

set -euo pipefail
# Get notified when contributors are added or removed
curl -s -X POST "https://api.lokalise.com/api2/projects/${PROJECT_ID}/webhooks" \
  -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://hooks.company.com/lokalise-audit",
    "events": [
      "project.contributor_added",
      "project.contributor_deleted",
      "project.contributor_added_to_language",
      "project.contributor_deleted_from_language"
    ]
  }'

Output

• Contributors added with explicit language scoping (no unscoped access)
• Contributor groups created for bulk role management across projects
• Team-level roles configured (admin vs. member distinction)
• SSO configured with IdP group-to-role mapping (Enterprise)
• Audit script identifying over-privileged users and unscoped contributors
• Webhook configured for access change notifications

Error Handling

| Issue | Cause | Solution | |-------|-------|----------| | 403 on contributor create | Caller lacks Admin role on the project | Use an admin-level token or get elevated by an Owner | | Translator sees all languages | No languages array set on contributor | Update contributor with explicit language scope array | | SSO login loop | Mismatched ACS URL | Verify ACS URL matches https://app.lokalise.com/sso/saml/TEAM_ID/callback exactly | | Cannot remove Owner | Last owner protection | Transfer ownership to another admin first | | 400 on group create | admin_rights contains invalid values | Valid values: activity, statistics, settings, manage_keys, manage_screenshots, manage_languages, manage_contributors | | Group members don't see project | Group not assigned to the project | Use the groups/projects/add endpoint to link them |

Examples

List All Contributors Across All Projects

set -euo pipefail
# Quick CSV export of all contributors and their roles
curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
  "https://api.lokalise.com/api2/projects?limit=100" \
  | jq -r '.projects[].project_id' \
  | while read -r pid; do
    curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
      "https://api.lokalise.com/api2/projects/${pid}/contributors?limit=500" \
      | jq -r --arg pid "$pid" '.contributors[] | [$pid, .email, (.is_admin|tostring), (.is_reviewer|tostring), (.languages|length|tostring)] | @csv'
    sleep 0.2
  done | sort -t, -k2

Principle of Least Privilege Setup

For a typical project with 3 languages (en, fr, de):

// Product team: admin access for key management
await lok.contributors().create(PROJECT_ID, [{
  email: 'pm@company.com', fullname: 'PM', is_admin: true, is_reviewer: true, languages: [],
}]);

// French translator: only French, translate only
await lok.contributors().create(PROJECT_ID, [{
  email: 'fr@agency.com', fullname: 'FR Translator', is_admin: false, is_reviewer: false,
  languages: [{ lang_iso: 'fr', is_writable: true }],
}]);

// German reviewer: German write + French read-only for reference
await lok.contributors().create(PROJECT_ID, [{
  email: 'de@agency.com', fullname: 'DE Reviewer', is_admin: false, is_reviewer: true,
  languages: [
    { lang_iso: 'de', is_writable: true },
    { lang_iso: 'fr', is_writable: false },
  ],
}]);

Resources

• Lokalise Contributors API
• Team Users API
• Contributor Groups API
• SSO Configuration Guide
• Webhook Events Reference

Next Steps

• After setting up permissions, run lokalise-debug-bundle to verify access scoping works as expected.
• For migration scenarios requiring bulk contributor setup, see lokalise-migration-deep-dive.
• Monitor access patterns over time with the audit script from Step 6.