cx-platform-admin

Use this skill when the user asks "who has access", "audit permissions", "check user roles", "list API keys", "review access controls", "rotate API keys", "create API key", "delete expired keys", "send data keys", "configure SAML", "set up SSO", "IP allowlist", "IP access restrictions", "check IP whitelist", "add user", "deactivate user", "manage team groups", "user permissions", "role-based access", "manage scopes", "system roles", "API key admin", "team member keys", "group membership", or wants to audit, manage, or configure access controls for a Coralogix account.

Quality

74%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/cx-platform-admin/SKILL.md

Platform Admin Skill

Name: cx-platform-admin
Rating: 79 (1 reviews)
Author: coralogix

Use this skill for managing access, authentication, and authorization in Coralogix. It covers API key management, role and scope definitions, user administration, team groups, SAML SSO configuration, and IP access restrictions.

Destructive Operation Safety

All write operations (create, update, delete, set-idp, set-active, set-status) require interactive confirmation. The CLI will prompt before executing. To skip the prompt in scripts, pass --yes.

IMPORTANT: NEVER pass --yes without explicit user approval. Before executing any write operation:

Describe the exact operation to the user (what will be created/modified/deleted)
Wait for the user to confirm
Only then execute with --yes

Read-only operations (list, get, search, system, sp-params, send-data-keys) do not require confirmation and can be run freely.

Read-Only Mode

Use --read-only (or CX_READ_ONLY=1) to block all write operations at the CLI level. This is useful for safe exploration - you can query any IAM resource without risk of accidental modifications.

Agent Mode

When running inside an AI agent (Claude Code, Cursor, Codex, etc.), cx automatically detects the agent environment and fails fast on write operations instead of hanging on a stdin prompt. The error message instructs you to get user confirmation first, then re-run with --yes.

CLI Commands

API Keys

Command	Purpose
`cx iam api-keys list`	List all API keys
`cx iam api-keys get <id>`	Get a single API key
`cx iam api-keys create --from-file`	Create an API key
`cx iam api-keys update --from-file <id>`	Update an API key
`cx iam api-keys delete <id>`	Delete an API key
`cx iam api-keys send-data-keys`	List send-data API keys
`cx iam api-keys admin list`	List all team members' keys
`cx iam api-keys admin delete --ids <id1> <id2>`	Bulk delete keys
`cx iam api-keys admin set-status --ids <id1> --active true/false`	Activate/deactivate keys

Roles & Scopes

Command	Purpose
`cx iam roles list`	List custom roles
`cx iam roles get <id>`	Get a role definition
`cx iam roles create --from-file`	Create a custom role
`cx iam roles update --from-file <id>`	Update a custom role
`cx iam roles delete <id>`	Delete a custom role
`cx iam roles system`	List system (built-in) roles
`cx iam scopes list`	List all scopes
`cx iam scopes get <id>`	Get a scope definition
`cx iam scopes create --from-file`	Create a scope
`cx iam scopes update --from-file`	Update a scope
`cx iam scopes delete <id>`	Delete a scope

Users & Groups

Command	Purpose
`cx iam users search`	Search users (optional `--query`, `--status`)
`cx iam users get <user-id>`	Get a single user
`cx iam users create --from-file`	Create user(s)
`cx iam users update --from-file`	Update user(s)
`cx iam users set-status --user-ids <id> --status ACTIVE/INACTIVE`	Activate/deactivate users
`cx iam groups list`	List all team groups
`cx iam groups get <id>`	Get a group by ID
`cx iam groups get-by-name <name>`	Get a group by name
`cx iam groups users <group-id>`	List users in a group
`cx iam groups create --from-file`	Create a group
`cx iam groups update --from-file <id>`	Update a group
`cx iam groups delete <id>`	Delete a group

SAML & IP Access

Command	Purpose
`cx iam saml get`	Get SAML configuration
`cx iam saml sp-params`	Get service provider parameters
`cx iam saml set-idp --from-file`	Set IDP parameters
`cx iam saml set-active --active true/false`	Activate/deactivate SAML
`cx iam ip-access get`	Get IP access settings
`cx iam ip-access create --from-file`	Create IP access rules
`cx iam ip-access update --from-file`	Update IP access rules
`cx iam ip-access delete`	Delete IP access settings

All commands support -o json for structured output and -p <profile> for profile selection.

Access Audit Workflow

Use this workflow to produce a comprehensive access report:

Step 1: List All Users

cx iam users search -o json
cx iam users search -o json | jq '[.[] | {id, name: .user_name, status, role_ids}]'

Step 2: List Roles

cx iam roles list -o json
cx iam roles system -o json

Cross-reference user role IDs with role definitions to understand permissions.

Step 3: List Groups and Memberships

cx iam groups list -o json
cx iam groups list -o json | jq '[.[] | {id, name, member_count: (.members | length)}]'

For each group, check members:

cx iam groups users <group-id> -o json

Step 4: Inventory API Keys

cx iam api-keys list -o json
cx iam api-keys admin list -o json
cx iam api-keys send-data-keys -o json

Identify old or unused keys:

cx iam api-keys list -o json | jq '[.[] | {id, name, created_at, active}] | sort_by(.created_at)'

Step 5: Check IP Restrictions

cx iam ip-access get -o json

Step 6: Check SAML Configuration

cx iam saml get -o json
cx iam saml sp-params -o json

Step 7: Cross-Reference

Produce a summary: which users have admin roles, which API keys are old, which groups have broad access.

API Key Rotation

Safe key rotation workflow:

List current keys: cx iam api-keys list -o json
Identify keys to rotate: filter by age or name
Create replacement key: cx iam api-keys create --from-file new-key.json --yes (after user approval)
Deploy the new key to all systems using the old key
Verify the new key works in all integrations
Delete the old key: cx iam api-keys delete <old-key-id> --yes (after user approval)

WARNING: Never delete an API key before its replacement is deployed and verified. Deleting an active key immediately breaks all integrations using it.

Safety Callouts

Deleting API keys breaks any integration using that key immediately. Always create a replacement first.

Deactivating users (cx iam users set-status --status INACTIVE) takes effect immediately. The user loses access with no grace period.

Changing SAML configuration (cx iam saml set-idp or cx iam saml set-active) can lock out the entire team if misconfigured. Always verify SP parameters first with cx iam saml sp-params.

Deleting IP access rules (cx iam ip-access delete) removes all IP restrictions immediately, potentially exposing the account.

Key Principles

Audit before modifying - run the full access audit workflow before making changes
Never delete keys without replacement - create new key → deploy → verify → delete old
Use -o json for structured reports - enables jq filtering for precise access analysis
Multi-profile for cross-environment audits - use -p <profile> or --all-profiles to audit staging + production
Template from existing - cx iam roles get <id> -o json > role.json before creating new roles

Related Skills

cx-cost-optimization - review what API keys are used for and whether they're still needed

Repository: coralogix/cx-cli
Commit: defdc4d

Last updated: 2 days ago
Created: 2 days ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.