granola-enterprise-rbac
Enterprise role-based access control for Granola. Use when configuring user roles, setting permissions, or implementing access control policies. Trigger with phrases like "granola roles", "granola permissions", "granola access control", "granola RBAC", "granola admin".
Install
mkdir -p .claude/skills/granola-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6895" && unzip -o skill.zip -d .claude/skills/granola-enterprise-rbac && rm skill.zipInstalls to .claude/skills/granola-enterprise-rbac
About this skill
Granola Enterprise RBAC
Overview
Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.
Prerequisites
- Granola Enterprise plan ($35+/user/month)
- Organization admin access
- SSO configured (Okta, Azure AD, or Google Workspace)
- SCIM provisioning enabled (recommended for automated role assignment)
Instructions
Step 1 — Understand the Role Hierarchy
Organization Owner (1-2 people)
│ Full control: billing, SSO, org settings, all workspaces
│
├── Workspace Admin (per department)
│ Manage workspace: members, integrations, settings
│ All member capabilities
│
├── Team Lead
│ View team analytics, manage folder structure
│ All member capabilities
│
├── Member (default role)
│ Create notes, share internally, use integrations
│
├── Viewer
│ Read-only access to shared notes
│ Cannot create or record meetings
│
└── Guest (external)
Single workspace access, read-only
Time-limited (30-day default expiration)
Step 2 — Permission Matrix
| Permission | Owner | WS Admin | Lead | Member | Viewer | Guest |
|---|---|---|---|---|---|---|
| Record meetings | Yes | Yes | Yes | Yes | No | No |
| Create notes | Yes | Yes | Yes | Yes | No | No |
| Share internally | Yes | Yes | Yes | Yes | No | No |
| Share externally | Yes | Yes | Policy | Policy | No | No |
| View shared notes | Yes | Yes | Yes | Yes | Yes | Yes |
| Manage integrations | Yes | Yes | No | No | No | No |
| Manage members | Yes | Yes | No | No | No | No |
| View analytics | Yes | Yes | Yes | No | No | No |
| Configure retention | Yes | Yes | No | No | No | No |
| Manage billing | Yes | No | No | No | No | No |
| Configure SSO/SCIM | Yes | No | No | No | No | No |
Step 3 — Map SSO Groups to Roles
Configure in Organization Settings > Security > SSO > Group Mapping:
| SSO Group (IdP) | Granola Workspace | Granola Role |
|---|---|---|
engineering-all | Engineering | Member |
engineering-leads | Engineering | Admin |
sales-team | Sales | Member |
sales-managers | Sales | Admin |
product-team | Product | Member |
hr-team | HR | Member |
hr-directors | HR | Admin |
executives | Executive | Admin |
contractors-eng | Engineering | Guest |
Multi-workspace membership: A user can belong to multiple workspaces with different roles:
- Sarah Chen: Engineering (Member) + Product (Admin) + Executive (Viewer)
- Mike Johnson: Sales (Admin) + Engineering (Guest for cross-team visibility)
Step 4 — Configure Sharing Policies
Set per-workspace sharing rules to control data flow:
Standard workspaces (Engineering, Product, Sales):
Workspace Settings > Sharing:
Internal sharing: Automatic within workspace members
Cross-workspace: Allowed with admin approval
External sharing: Allowed with link expiration (30 days)
Public links: Disabled
Confidential workspaces (HR, Executive):
Workspace Settings > Sharing:
Internal sharing: Manual only (no auto-share)
Cross-workspace: Disabled
External sharing: Disabled
Public links: Disabled
Note visibility: Creator + explicitly added viewers only
Step 5 — Implement Least Privilege
Follow the principle of least privilege for role assignments:
- Default new users to Member — sufficient for 90% of use cases
- Promote to Admin only for workspace managers — IT leads, department heads
- Use Viewer for stakeholders who need to read notes but not create them
- Time-limit Guest access — 30-day default, renew explicitly
- Review access quarterly:
## Quarterly Access Review Checklist
- [ ] Pull current user list: Settings > Team
- [ ] Verify each user's role matches current job function
- [ ] Deactivate users who have left the organization
- [ ] Downgrade over-privileged users (Admin → Member where appropriate)
- [ ] Remove expired Guest accounts
- [ ] Verify SSO group mappings match current org chart
- [ ] Review sharing policy compliance per workspace
- [ ] Check audit logs for unusual access patterns
Step 6 — Enable Audit Logging
Enterprise audit logging captures:
| Event | What's Logged |
|---|---|
| User login | Who, when, from where (IP) |
| Note created | Creator, meeting, workspace |
| Note shared | Sharer, recipient, method (Slack/Notion/link) |
| Note exported | Who exported, which note |
| Role changed | Admin, user affected, old role → new role |
| Integration connected/disconnected | Who, which integration |
| Workspace settings changed | Admin, what changed |
Access audit logs: Organization Settings > Security > Audit Log
Export audit logs for SIEM integration (Enterprise):
- Granola can export audit events to external systems
- Contact Granola support for Splunk/Datadog/SIEM integration
Step 7 — Handle User Lifecycle
Onboarding:
- User added to SSO group → SCIM provisions account → JIT assigns workspace + role
- First login: SSO authenticates, Granola provisions based on group mapping
- User can immediately record meetings in assigned workspaces
Role change:
- Update SSO group membership in IdP
- SCIM sync updates Granola role (within sync interval, typically 1-15 min)
- Or manually: Workspace Settings > Members > change role
Offboarding:
- Disable user in IdP → SCIM deactivates Granola account
- User loses access immediately
- Their shared notes remain visible to workspace members
- Their private notes are inaccessible (retained per retention policy)
- Reassign ownership of shared folders if needed
Output
- Role hierarchy defined and documented
- SSO group mappings configured for automated provisioning
- Per-workspace sharing policies enforced
- Audit logging enabled with SIEM export (if applicable)
- User lifecycle procedures (onboard/offboard) established
- Quarterly access review cadence scheduled
Error Handling
| Error | Cause | Fix |
|---|---|---|
| User can't access workspace | Wrong SSO group | Verify IdP group membership |
| External sharing blocked unexpectedly | Workspace policy override | Review workspace sharing settings |
| Guest access expired | 30-day time limit | Re-invite the guest or extend expiration |
| SCIM sync delayed | IdP sync interval too long | Trigger manual sync in IdP, or adjust interval |
| Orphaned accounts after termination | SCIM deprovisioning not configured | Enable deprovisioning in SCIM settings |
Resources
Next Steps
Proceed to granola-migration-deep-dive for migrating from other meeting note tools.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
Okta MCP ServerOfficial Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag
Chrome DevToolsUse Chrome DevTools for web site test speed, debugging, and performance analysis. The essential chrome developer tools f
BlenderConnect Blender to Claude AI for seamless 3D modeling. Use AI 3D model generator tools for faster, intuitive, interactiv
Chrome MCPChrome extension-based MCP server that exposes browser functionality to AI assistants. Control tabs, capture screenshots
Exa SearchEmpower AI with the Exa MCP Server—an AI research tool for real-time web search, academic data, and smarter, up-to-date
Postgres MCP ProBoost Postgres performance with Postgres MCP Pro—AI-driven index tuning, health checks, and safe, intelligent SQL optimi
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.