Agent-Skills.md

Agent Skills: Navan Enterprise RBAC

|

UncategorizedID: jeremylongshore/claude-code-plugins-plus-skills/navan-enterprise-rbac

Repository

jeremylongshore/claude-code-plugins-plus-skills
jeremylongshoreLicense: NOASSERTION
1,723221

Install this agent skill to your local

pnpm dlx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/HEAD/plugins/saas-packs/navan-pack/skills/navan-enterprise-rbac

Skill Files

Browse the full folder contents for navan-enterprise-rbac.

Download Skill

Loading file tree…

plugins/saas-packs/navan-pack/skills/navan-enterprise-rbac/SKILL.md

Skill Metadata

Name
navan-enterprise-rbac
Description
'Configure Navan admin roles, travel policies, approval workflows, and

Navan Enterprise RBAC

Overview

Navan's enterprise tier provides granular role-based access control, configurable travel policies, and multi-tier approval workflows. The platform enforces in-policy vs out-of-policy bookings at the point of purchase — travelers see policy-compliant options highlighted and must justify out-of-policy selections through approval chains. This skill covers the admin role hierarchy, policy rule configuration, department-scoped access, and API-driven policy management.

Prerequisites

  • Navan enterprise account with Global Admin or Travel Admin access
  • OAuth 2.0 credentials with admin-scoped permissions (see navan-install-auth)
  • Organizational hierarchy defined (departments, cost centers, reporting lines)
  • Dedicated Customer Success Manager contact (included with enterprise tier)

Instructions

Step 1: Understand the Navan Role Hierarchy

Global Admin
├── Travel Admin         — Manage travel policies, view all bookings
├── Expense Admin        — Manage expense policies, approve/reject reports
├── Finance Admin        — View spend analytics, export financial reports
├── Department Manager   — Approve bookings/expenses for direct reports
├── Arranger            — Book travel on behalf of other employees
└── Traveler            — Book own travel within policy, submit expenses

| Role | Book Travel | Approve | View All Bookings | Edit Policies | Manage Users | |------|-------------|---------|-------------------|---------------|--------------| | Global Admin | Yes | Yes | Yes | Yes | Yes | | Travel Admin | Yes | Yes | Yes | Yes | No | | Expense Admin | No | Yes | Expenses Only | Expense Only | No | | Finance Admin | No | No | Yes (read-only) | No | No | | Dept Manager | Yes | Own Dept | Own Dept | No | No | | Arranger | Others | No | Arranged Only | No | No | | Traveler | Self | No | Own Only | No | No |

Step 2: Configure Travel Policy Rules via API

const accessToken = process.env.NAVAN_ACCESS_TOKEN!;

// Retrieve current travel policy
const policyRes = await fetch('https://api.navan.com/v1/travel-policies', {
  headers: { 'Authorization': `Bearer ${accessToken}` }
});
const policies = await policyRes.json();

// Create a department-specific policy
const newPolicy = await fetch('https://api.navan.com/v1/travel-policies', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${accessToken}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    name: 'Engineering Department Policy',
    department_ids: ['dept-eng-001'],
    rules: {
      flight: {
        max_price: 800,
        cabin_class: 'economy',
        advance_booking_days: 14,
        allow_premium_economy: true,
        allow_business_class: false
      },
      hotel: {
        max_nightly_rate: 250,
        max_star_rating: 4,
        preferred_chains: ['marriott', 'hilton', 'hyatt']
      },
      car_rental: {
        max_daily_rate: 75,
        max_class: 'intermediate',
        preferred_vendors: ['enterprise', 'national']
      },
      out_of_policy: {
        action: 'require_approval',        // 'block' | 'require_approval' | 'warn'
        require_justification: true,
        auto_escalate_above: 1500          // Auto-escalate to finance above this amount
      }
    }
  })
});

Step 3: Set Up Approval Workflows

// Configure multi-tier approval chain
const approvalWorkflow = await fetch('https://api.navan.com/v1/approval-workflows', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${accessToken}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    name: 'Standard Travel Approval',
    applies_to: ['booking', 'expense'],
    tiers: [
      {
        order: 1,
        approver_type: 'direct_manager',
        conditions: { min_amount: 0 },
        auto_approve_below: 200,
        timeout_hours: 48,
        timeout_action: 'escalate'
      },
      {
        order: 2,
        approver_type: 'department_head',
        conditions: { min_amount: 1000 },
        timeout_hours: 72,
        timeout_action: 'escalate'
      },
      {
        order: 3,
        approver_type: 'finance_admin',
        conditions: { min_amount: 5000 },
        timeout_hours: 24,
        timeout_action: 'notify_global_admin'
      }
    ],
    out_of_policy_override: {
      always_require_tier: 2,
      justification_required: true
    }
  })
});

Step 4: Assign Users to Departments and Roles

// Bulk role assignment for department onboarding
async function assignDepartmentRoles(
  departmentId: string,
  userEmails: string[],
  role: string
): Promise<void> {
  for (const email of userEmails) {
    const res = await fetch('https://api.navan.com/v1/users/role-assignment', {
      method: 'POST',
      headers: {
        'Authorization': `Bearer ${accessToken}`,
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({
        email,
        role,
        department_id: departmentId,
        effective_date: new Date().toISOString()
      })
    });

    if (!res.ok) {
      console.error(`Failed to assign ${role} to ${email}: HTTP ${res.status}`);
    } else {
      console.log(`Assigned ${role} to ${email} in dept ${departmentId}`);
    }
  }
}

// Example: onboard engineering managers
await assignDepartmentRoles('dept-eng-001', [
  'manager1@company.com',
  'manager2@company.com'
], 'department_manager');

Step 5: Audit Role Assignments

# List all users with admin roles
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
  'https://api.navan.com/v1/users?role=admin&limit=100' | python3 -m json.tool

# Get policy violations report
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
  'https://api.navan.com/v1/reports/policy-violations?start_date=2026-01-01' \
  | python3 -m json.tool

Output

A fully configured RBAC system with department-scoped travel policies, multi-tier approval workflows, and role assignments for the organizational hierarchy. Travelers see policy-compliant options at booking time, out-of-policy requests route through the approval chain, and admins have audit visibility into policy violations.

Error Handling

| Error | Code | Solution | |-------|------|----------| | Insufficient admin permissions | 403 | Requesting user needs Global Admin or Travel Admin role | | Department not found | 404 | Verify department_id exists; create via admin dashboard first | | Conflicting policy rules | 409 | Two policies targeting the same department; deactivate the old one first | | Invalid approval chain | 400 | Ensure tier order is sequential and approver_type values are valid | | User not found | 404 | Verify email matches an active Navan user; check SCIM sync status |

Examples

Check a user's effective policy:

curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
  'https://api.navan.com/v1/users/user@company.com/effective-policy' \
  | python3 -m json.tool

Export policy compliance summary:

curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
  'https://api.navan.com/v1/reports/policy-compliance?period=monthly' \
  | python3 -m json.tool

Resources

Next Steps

After configuring RBAC, see navan-security-basics for SSO/SAML enforcement and credential hardening, or navan-observability for monitoring policy compliance and booking patterns.