CtrlK
BlogDocsLog inGet started
Tessl Logo

granola-multi-env-setup

Configure Granola across multiple workspaces and teams with SSO/SCIM provisioning. Use when setting up department-level workspaces, configuring user provisioning, or managing enterprise-scale Granola deployments. Trigger: "granola workspaces", "granola multi-team", "granola SSO", "granola SCIM", "granola organization setup".

77

Quality

73%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/saas-packs/granola-pack/skills/granola-multi-env-setup/SKILL.md
SKILL.md
Quality
Evals
Security

Granola Multi-Environment Setup

Overview

Configure Granola for multi-workspace enterprise deployments with SSO-based user provisioning, per-workspace integration configuration, and compliance controls. Each workspace operates as an isolated unit with its own folders, integrations, sharing rules, and retention policies.

Prerequisites

  • Granola Enterprise plan ($35+/user/month)
  • Organization admin access in Granola
  • Identity provider configured (Okta, Azure AD, or Google Workspace)
  • Team structure and workspace plan documented

Instructions

Step 1 — Plan Workspace Structure

Map your organization to Granola workspaces:

WorkspaceOwnerMembersPurpose
EngineeringVP EngineeringAll engineersSprint planning, architecture, standups
SalesVP SalesSales team + SDRsDiscovery calls, demos, pipeline reviews
ProductHead of ProductPMs + designersCustomer feedback, design reviews, PRDs
Customer SuccessCS LeadCS managersOnboarding calls, QBRs, escalations
HRHR DirectorHR teamInterviews, 1-on-1s, performance reviews
ExecutiveCEOC-suiteBoard meetings, strategy, M&A

Step 2 — Create Workspaces

  1. Navigate to Organization Settings > Workspaces
  2. For each workspace:
    • Name: Department name (e.g., "Engineering")
    • Description: Purpose and scope
    • Owner: Department lead (Workspace Admin role)
    • Privacy: Private (members only) or Internal (org-visible)
    • Default sharing: Private for new notes

Step 3 — Configure SSO and User Provisioning

SSO Setup (Okta example):

  1. Organization Settings > Security > SSO
  2. Choose SAML 2.0 or OIDC
  3. Configure in your IdP:
    • Entity ID: https://app.granola.ai/sso/{org-slug}
    • ACS URL: https://app.granola.ai/sso/callback
    • Name ID: Email address
  4. Test with a pilot user before enforcing org-wide

SCIM Provisioning:

  1. Organization Settings > Security > SCIM
  2. Generate SCIM token
  3. Configure in your IdP:
    • SCIM endpoint: https://api.granola.ai/scim/v2/{org-id}
    • Bearer token: Generated in step 2
  4. Map IdP groups to Granola workspaces and roles:
IdP GroupGranola WorkspaceRole
granola-engineeringEngineeringMember
granola-engineering-leadsEngineeringAdmin
granola-salesSalesMember
granola-hrHRMember
granola-executivesExecutiveAdmin

Just-in-Time (JIT) Provisioning: Enable JIT so users are auto-provisioned on first SSO login without manual invitation. Map their IdP groups to workspace membership.

Step 4 — Configure Per-Workspace Integrations

Each workspace can have independent integration configurations:

WorkspaceSlack ChannelCRMNotion DatabaseTask Tool
Engineering#eng-meetingsEngineering WikiLinear
Sales#sales-notesHubSpotSales Playbook
Product#product-feedbackProduct InsightsLinear
Customer Success#cs-updatesAttioCS Knowledge Base
HR(none)(none)
Executive(none)Private Board DB

Configure in each workspace: Settings > Integrations. Each workspace's integrations are independent — connecting Slack in Engineering does not affect Sales.

Step 5 — Set Compliance Controls Per Workspace

WorkspaceData Retention (Notes)Data Retention (Transcripts)External SharingAudit Logging
Engineering2 years90 daysAllowed (admin approval)On
Sales1 year90 daysAllowed (for client follow-up)On
Product2 years90 daysAllowed (admin approval)On
HR90 days30 daysProhibitedOn
ExecutiveCustom (legal hold)30 daysProhibitedOn

Sensitive workspace hardening (HR, Executive):

Workspace Settings > Security:
  External sharing: Disabled
  Public links: Disabled
  Link expiration: 7 days (if any sharing enabled)
  MFA required: Yes (beyond SSO)
  Session timeout: 4 hours
  AI training opt-out: Enforced
  IP allowlist: Enabled (office IPs only)

Step 6 — Role Hierarchy and Permissions

RoleCreate NotesShare InternallyShare ExternallyManage MembersManage Settings
Org OwnerYesYesYesYes (all workspaces)Yes (org-level)
Workspace AdminYesYesYes (if policy allows)Yes (own workspace)Yes (workspace)
Team LeadYesYesYes (if policy allows)View onlyNo
MemberYesYesNo (unless admin approves)NoNo
ViewerNoRead-onlyNoNoNo
GuestNoSingle workspace readNoNoNo

Step 7 — Validate and Monitor

Validation checklist:

  • All workspaces created with correct owners
  • SSO login tested with users from each IdP group
  • SCIM sync verified (user added to IdP group → appears in workspace)
  • Per-workspace integrations tested with sample meetings
  • Compliance settings verified for sensitive workspaces (HR, Executive)
  • Cross-workspace search working for admin users
  • Audit logs capturing expected events

Ongoing monitoring:

  • Monthly: Review workspace membership, deactivate departed users
  • Quarterly: Access review across all workspaces (principle of least privilege)
  • Annual: Re-certify compliance settings, update retention policies

Output

  • Multi-workspace topology deployed and configured
  • SSO and SCIM provisioning operational
  • Per-workspace integrations connected and tested
  • Compliance controls applied with sensitive workspace hardening
  • Role hierarchy documented and enforced

Error Handling

ErrorCauseFix
User lands in wrong workspaceSSO group mapping incorrectFix IdP group → workspace mapping
SCIM sync failsToken expired or endpoint wrongRegenerate SCIM token, verify endpoint URL
Cross-workspace notes invisibleUser not added to target workspaceAdd user to workspace or grant Viewer role
Integration not syncing in workspaceConnected to different workspaceReconnect integration within the correct workspace context
JIT provisioning creates duplicate usersMultiple IdP groupsConsolidate groups, ensure one user maps to one account

Resources

  • Granola Enterprise
  • Signing In and Calendar Connection
  • Sign In with Microsoft
  • Security Standards

Next Steps

Proceed to granola-observability for meeting analytics and monitoring.

Repository
jeremylongshore/claude-code-plugins-plus-skills
Commit

70e9fa4

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill