Ctrl + K

exa-enterprise-rbac

tessl install github:jeremylongshore/claude-code-plugins-plus-skills --skill exa-enterprise-rbac

github.com/jeremylongshore/claude-code-plugins-plus-skills

Configure Exa enterprise SSO, role-based access control, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for Exa. Trigger with phrases like "exa SSO", "exa RBAC", "exa enterprise", "exa roles", "exa permissions", "exa SAML".

Review Score

81%

Validation Score

12/16

Implementation Score

65%

Activation Score

100%

Exa Enterprise RBAC

Overview

Configure enterprise-grade access control for Exa integrations.

Prerequisites

Exa Enterprise tier subscription
Identity Provider (IdP) with SAML/OIDC support
Understanding of role-based access patterns
Audit logging infrastructure

Role Definitions

Role	Permissions	Use Case
Admin	Full access	Platform administrators
Developer	Read/write, no delete	Active development
Viewer	Read-only	Stakeholders, auditors
Service	API access only	Automated systems

Role Implementation

enum ExaRole {
  Admin = 'admin',
  Developer = 'developer',
  Viewer = 'viewer',
  Service = 'service',
}

interface ExaPermissions {
  read: boolean;
  write: boolean;
  delete: boolean;
  admin: boolean;
}

const ROLE_PERMISSIONS: Record<ExaRole, ExaPermissions> = {
  admin: { read: true, write: true, delete: true, admin: true },
  developer: { read: true, write: true, delete: false, admin: false },
  viewer: { read: true, write: false, delete: false, admin: false },
  service: { read: true, write: true, delete: false, admin: false },
};

function checkPermission(
  role: ExaRole,
  action: keyof ExaPermissions
): boolean {
  return ROLE_PERMISSIONS[role][action];
}

SSO Integration

SAML Configuration

// Exa SAML setup
const samlConfig = {
  entryPoint: 'https://idp.company.com/saml/sso',
  issuer: 'https://exa.com/saml/metadata',
  cert: process.env.SAML_CERT,
  callbackUrl: 'https://app.yourcompany.com/auth/exa/callback',
};

// Map IdP groups to Exa roles
const groupRoleMapping: Record<string, ExaRole> = {
  'Engineering': ExaRole.Developer,
  'Platform-Admins': ExaRole.Admin,
  'Data-Team': ExaRole.Viewer,
};

OAuth2/OIDC Integration

import { OAuth2Client } from '@exa/sdk';

const oauthClient = new OAuth2Client({
  clientId: process.env.EXA_OAUTH_CLIENT_ID!,
  clientSecret: process.env.EXA_OAUTH_CLIENT_SECRET!,
  redirectUri: 'https://app.yourcompany.com/auth/exa/callback',
  scopes: ['read', 'write'],
});

Organization Management

interface ExaOrganization {
  id: string;
  name: string;
  ssoEnabled: boolean;
  enforceSso: boolean;
  allowedDomains: string[];
  defaultRole: ExaRole;
}

async function createOrganization(
  config: ExaOrganization
): Promise<void> {
  await exaClient.organizations.create({
    ...config,
    settings: {
      sso: {
        enabled: config.ssoEnabled,
        enforced: config.enforceSso,
        domains: config.allowedDomains,
      },
    },
  });
}

Access Control Middleware

function requireExaPermission(
  requiredPermission: keyof ExaPermissions
) {
  return async (req: Request, res: Response, next: NextFunction) => {
    const user = req.user as { exaRole: ExaRole };

    if (!checkPermission(user.exaRole, requiredPermission)) {
      return res.status(403).json({
        error: 'Forbidden',
        message: `Missing permission: ${requiredPermission}`,
      });
    }

    next();
  };
}

// Usage
app.delete('/exa/resource/:id',
  requireExaPermission('delete'),
  deleteResourceHandler
);

Audit Trail

interface ExaAuditEntry {
  timestamp: Date;
  userId: string;
  role: ExaRole;
  action: string;
  resource: string;
  success: boolean;
  ipAddress: string;
}

async function logExaAccess(entry: ExaAuditEntry): Promise<void> {
  await auditDb.insert(entry);

  // Alert on suspicious activity
  if (entry.action === 'delete' && !entry.success) {
    await alertOnSuspiciousActivity(entry);
  }
}

Instructions

Step 1: Define Roles

Map organizational roles to Exa permissions.

Step 2: Configure SSO

Set up SAML or OIDC integration with your IdP.

Step 3: Implement Middleware

Add permission checks to API endpoints.

Step 4: Enable Audit Logging

Track all access for compliance.

Output

Role definitions implemented
SSO integration configured
Permission middleware active
Audit trail enabled

Error Handling

Issue	Cause	Solution
SSO login fails	Wrong callback URL	Verify IdP config
Permission denied	Missing role mapping	Update group mappings
Token expired	Short TTL	Refresh token logic
Audit gaps	Async logging failed	Check log pipeline

Examples

Quick Permission Check

if (!checkPermission(user.role, 'write')) {
  throw new ForbiddenError('Write permission required');
}

Resources

Next Steps

For major migrations, see exa-migration-deep-dive.