CtrlK
BlogDocsLog inGet started
Tessl Logo

granola-enterprise-rbac

Configure enterprise role-based access control for Granola workspaces. Use when defining user roles, setting sharing permissions, configuring SSO group mappings, or implementing least-privilege access for meeting data. Trigger: "granola roles", "granola permissions", "granola access control", "granola RBAC", "granola admin roles".

78

Quality

75%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/saas-packs/granola-pack/skills/granola-enterprise-rbac/SKILL.md
SKILL.md
Quality
Evals
Security

Granola Enterprise RBAC

Overview

Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.

Prerequisites

  • Granola Enterprise plan ($35+/user/month)
  • Organization admin access
  • SSO configured (Okta, Azure AD, or Google Workspace)
  • SCIM provisioning enabled (recommended for automated role assignment)

Instructions

Step 1 — Understand the Role Hierarchy

Organization Owner (1-2 people)
  │   Full control: billing, SSO, org settings, all workspaces
  │
  ├── Workspace Admin (per department)
  │     Manage workspace: members, integrations, settings
  │     All member capabilities
  │
  ├── Team Lead
  │     View team analytics, manage folder structure
  │     All member capabilities
  │
  ├── Member (default role)
  │     Create notes, share internally, use integrations
  │
  ├── Viewer
  │     Read-only access to shared notes
  │     Cannot create or record meetings
  │
  └── Guest (external)
      Single workspace access, read-only
      Time-limited (30-day default expiration)

Step 2 — Permission Matrix

PermissionOwnerWS AdminLeadMemberViewerGuest
Record meetingsYesYesYesYesNoNo
Create notesYesYesYesYesNoNo
Share internallyYesYesYesYesNoNo
Share externallyYesYesPolicyPolicyNoNo
View shared notesYesYesYesYesYesYes
Manage integrationsYesYesNoNoNoNo
Manage membersYesYesNoNoNoNo
View analyticsYesYesYesNoNoNo
Configure retentionYesYesNoNoNoNo
Manage billingYesNoNoNoNoNo
Configure SSO/SCIMYesNoNoNoNoNo

Step 3 — Map SSO Groups to Roles

Configure in Organization Settings > Security > SSO > Group Mapping:

SSO Group (IdP)Granola WorkspaceGranola Role
engineering-allEngineeringMember
engineering-leadsEngineeringAdmin
sales-teamSalesMember
sales-managersSalesAdmin
product-teamProductMember
hr-teamHRMember
hr-directorsHRAdmin
executivesExecutiveAdmin
contractors-engEngineeringGuest

Multi-workspace membership: A user can belong to multiple workspaces with different roles:

  • Sarah Chen: Engineering (Member) + Product (Admin) + Executive (Viewer)
  • Mike Johnson: Sales (Admin) + Engineering (Guest for cross-team visibility)

Step 4 — Configure Sharing Policies

Set per-workspace sharing rules to control data flow:

Standard workspaces (Engineering, Product, Sales):

Workspace Settings > Sharing:
  Internal sharing: Automatic within workspace members
  Cross-workspace: Allowed with admin approval
  External sharing: Allowed with link expiration (30 days)
  Public links: Disabled

Confidential workspaces (HR, Executive):

Workspace Settings > Sharing:
  Internal sharing: Manual only (no auto-share)
  Cross-workspace: Disabled
  External sharing: Disabled
  Public links: Disabled
  Note visibility: Creator + explicitly added viewers only

Step 5 — Implement Least Privilege

Follow the principle of least privilege for role assignments:

  1. Default new users to Member — sufficient for 90% of use cases
  2. Promote to Admin only for workspace managers — IT leads, department heads
  3. Use Viewer for stakeholders who need to read notes but not create them
  4. Time-limit Guest access — 30-day default, renew explicitly
  5. Review access quarterly:
## Quarterly Access Review Checklist

- [ ] Pull current user list: Settings > Team
- [ ] Verify each user's role matches current job function
- [ ] Deactivate users who have left the organization
- [ ] Downgrade over-privileged users (Admin → Member where appropriate)
- [ ] Remove expired Guest accounts
- [ ] Verify SSO group mappings match current org chart
- [ ] Review sharing policy compliance per workspace
- [ ] Check audit logs for unusual access patterns

Step 6 — Enable Audit Logging

Enterprise audit logging captures:

EventWhat's Logged
User loginWho, when, from where (IP)
Note createdCreator, meeting, workspace
Note sharedSharer, recipient, method (Slack/Notion/link)
Note exportedWho exported, which note
Role changedAdmin, user affected, old role → new role
Integration connected/disconnectedWho, which integration
Workspace settings changedAdmin, what changed

Access audit logs: Organization Settings > Security > Audit Log

Export audit logs for SIEM integration (Enterprise):

  • Granola can export audit events to external systems
  • Contact Granola support for Splunk/Datadog/SIEM integration

Step 7 — Handle User Lifecycle

Onboarding:

  1. User added to SSO group → SCIM provisions account → JIT assigns workspace + role
  2. First login: SSO authenticates, Granola provisions based on group mapping
  3. User can immediately record meetings in assigned workspaces

Role change:

  1. Update SSO group membership in IdP
  2. SCIM sync updates Granola role (within sync interval, typically 1-15 min)
  3. Or manually: Workspace Settings > Members > change role

Offboarding:

  1. Disable user in IdP → SCIM deactivates Granola account
  2. User loses access immediately
  3. Their shared notes remain visible to workspace members
  4. Their private notes are inaccessible (retained per retention policy)
  5. Reassign ownership of shared folders if needed

Output

  • Role hierarchy defined and documented
  • SSO group mappings configured for automated provisioning
  • Per-workspace sharing policies enforced
  • Audit logging enabled with SIEM export (if applicable)
  • User lifecycle procedures (onboard/offboard) established
  • Quarterly access review cadence scheduled

Error Handling

ErrorCauseFix
User can't access workspaceWrong SSO groupVerify IdP group membership
External sharing blocked unexpectedlyWorkspace policy overrideReview workspace sharing settings
Guest access expired30-day time limitRe-invite the guest or extend expiration
SCIM sync delayedIdP sync interval too longTrigger manual sync in IdP, or adjust interval
Orphaned accounts after terminationSCIM deprovisioning not configuredEnable deprovisioning in SCIM settings

Resources

  • Security Standards
  • Privacy & Data FAQs
  • Enterprise API (admin access)

Next Steps

Proceed to granola-migration-deep-dive for migrating from other meeting note tools.

Repository
jeremylongshore/claude-code-plugins-plus-skills
Commit

70e9fa4

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill