Agent-Skills.md

Agent Skills: Replit Enterprise RBAC

|

UncategorizedID: jeremylongshore/claude-code-plugins-plus-skills/replit-enterprise-rbac

Repository

jeremylongshore/claude-code-plugins-plus-skills
jeremylongshoreLicense: NOASSERTION
1,723221

Install this agent skill to your local

pnpm dlx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/HEAD/plugins/saas-packs/replit-pack/skills/replit-enterprise-rbac

Skill Files

Browse the full folder contents for replit-enterprise-rbac.

Download Skill

Loading file tree…

plugins/saas-packs/replit-pack/skills/replit-enterprise-rbac/SKILL.md

Skill Metadata

Name
replit-enterprise-rbac
Description
|

Replit Enterprise RBAC

Overview

Manage team access to Replit workspaces, deployments, and AI features. Covers the built-in role system (Admin, Manager, Editor, Viewer), custom groups (Enterprise only), SSO/SAML integration, deployment permissions, and audit logging.

Prerequisites

  • Replit Teams or Enterprise plan
  • Organization Owner or Admin role
  • SSO identity provider (Enterprise only): Okta, Azure AD, Google Workspace

Role Hierarchy

| Role | Create Repls | Deploy | Manage Members | Billing | AI Features | |------|-------------|--------|----------------|---------|-------------| | Owner | Yes | All | Yes | Yes | Yes | | Admin | Yes | All | Yes | View only | Yes | | Manager | Yes | Staging | Add/remove | No | Yes | | Editor | Yes | No | No | No | Yes | | Viewer | No | No | No | No | No |

Instructions

Step 1: Configure Organization Roles

In Organization Settings > Members:

1. Invite members:
   - Click "Invite" > enter email
   - Select role: Admin, Manager, Editor, or Viewer
   - Member receives email invitation

2. Bulk management (2025+):
   - CSV export of all members
   - Sort/filter by role, activity, last login
   - Bulk role changes

3. Role assignment strategy:
   - Owners: 1-2 (billing + full admin)
   - Admins: team leads (manage members + deploy)
   - Managers: senior devs (deploy to staging)
   - Editors: developers (create + code)
   - Viewers: stakeholders (read-only access)

Step 2: Custom Groups (Enterprise Only)

Enterprise plan enables custom permission groups:

1. Organization Settings > Groups
2. Create group: e.g., "Backend Team"
3. Assign permissions:
   - Access to specific Repls
   - Deployment permissions (staging only, or all)
   - AI feature access
4. Add members to group

Example groups:
- "Frontend Team": access to UI Repls, deploy to staging
- "DevOps": all Repls, deploy to production, manage secrets
- "Contractors": specific Repls only, no deployment access
- "QA": read all, deploy to staging, no production

Step 3: SSO/SAML Configuration (Enterprise Only)

Organization Settings > Security > SSO:

1. Choose provider:
   - Okta
   - Azure Active Directory
   - Google Workspace
   - Any SAML 2.0 compatible IdP

2. Configure SAML:
   - ACS URL: provided by Replit
   - Entity ID: provided by Replit
   - Certificate: from your IdP
   - Map IdP groups to Replit roles

3. Enable enforcement:
   - "Require SSO": blocks password-based login
   - Session timeout: recommended 12 hours
   - IdP-initiated logout support

4. Test:
   - Try login with SSO before enforcing
   - Verify role mapping works correctly
   - Test session timeout behavior

Step 4: Deployment Permission Controls

Control who can deploy and where:

Organization Settings > Deployments > Permissions:

Production deployments:
- Restrict to Admin + Owner only
- Require approval workflow (Enterprise)
- Custom domain management: Admin only

Staging deployments:
- Allow Managers and above
- Auto-deploy from staging branch

Development:
- All Editors can run in Workspace
- Dev database access for all team members

Step 5: Audit Logging

# View recent team activity
curl "https://replit.com/api/v1/teams/TEAM_ID/audit-log?limit=50" \
  -H "Authorization: Bearer $REPLIT_TOKEN" | \
  jq '.events[] | {user, action, resource, timestamp}'

# Common audit events:
# - member.invited
# - member.removed
# - member.role_changed
# - repl.created
# - repl.deleted
# - deployment.created
# - deployment.rolled_back
# - secret.created
# - secret.deleted

Enterprise audit features:
- Exportable audit logs (CSV)
- 90-day retention
- Filter by user, action, resource
- API access for SIEM integration

Step 6: Quarterly Access Review

## Access Review Checklist (run quarterly)

1. Export member list from Organization Settings
2. Review each member:
   - [ ] Last active date within 30 days?
   - [ ] Role appropriate for current responsibilities?
   - [ ] Still on the team/project?
3. Actions:
   - Remove members not active in 30+ days
   - Downgrade over-privileged members
   - Upgrade members needing more access
4. Document changes and rationale
5. Verify SSO group mappings still accurate

Cost impact:
- Each removed seat saves $25-40/month
- Quarterly review prevents seat creep

Step 7: AI Feature Controls

Replit AI features (Agent, Assistant, Ghostwriter):

Organization Settings > AI Features:
- Enable/disable AI for entire organization
- Per-role AI access (Enterprise)
- Usage tracking per member

Controls:
- Agent: can create files, install packages, deploy
- Assistant: code suggestions, chat
- Ghostwriter: inline completions

Recommendation:
- Enable AI for all developers (Editors+)
- Restrict Agent deployment to Managers+
- Monitor AI usage via dashboard

Error Handling

| Issue | Cause | Solution | |-------|-------|----------| | Member can't deploy | Insufficient role | Promote to Manager or Admin | | SSO redirect loop | Wrong ACS URL | Verify callback URL matches Replit config | | Seat limit exceeded | Plan capacity reached | Remove inactive members or upgrade | | Custom group not working | Not on Enterprise plan | Groups require Enterprise | | AI features disabled | Org-level toggle off | Enable in Organization Settings > AI |

Resources

Next Steps

For data migration patterns, see replit-migration-deep-dive.