granola-multi-env-setup

Granola Multi-Environment Setup

Overview

Configure Granola for multi-workspace enterprise deployments with SSO-based user provisioning, per-workspace integration configuration, and compliance controls. Each workspace operates as an isolated unit with its own folders, integrations, sharing rules, and retention policies.

Prerequisites

• Granola Enterprise plan ($35+/user/month)
• Organization admin access in Granola
• Identity provider configured (Okta, Azure AD, or Google Workspace)
• Team structure and workspace plan documented

Instructions

Step 1 — Plan Workspace Structure

Map your organization to Granola workspaces:

Workspace	Owner	Members	Purpose
Engineering	VP Engineering	All engineers	Sprint planning, architecture, standups
Sales	VP Sales	Sales team + SDRs	Discovery calls, demos, pipeline reviews
Product	Head of Product	PMs + designers	Customer feedback, design reviews, PRDs
Customer Success	CS Lead	CS managers	Onboarding calls, QBRs, escalations
HR	HR Director	HR team	Interviews, 1-on-1s, performance reviews
Executive	CEO	C-suite	Board meetings, strategy, M&A

Step 2 — Create Workspaces

1. Navigate to Organization Settings > Workspaces
2. For each workspace:
   • Name: Department name (e.g., "Engineering")
   • Description: Purpose and scope
   • Owner: Department lead (Workspace Admin role)
   • Privacy: Private (members only) or Internal (org-visible)
   • Default sharing: Private for new notes

Step 3 — Configure SSO and User Provisioning

SSO Setup (Okta example):

1. Organization Settings > Security > SSO
2. Choose SAML 2.0 or OIDC
3. Configure in your IdP:
   • Entity ID: https://app.granola.ai/sso/{org-slug}
   • ACS URL: https://app.granola.ai/sso/callback
   • Name ID: Email address
4. Test with a pilot user before enforcing org-wide

SCIM Provisioning:

1. Organization Settings > Security > SCIM
2. Generate SCIM token
3. Configure in your IdP:
   • SCIM endpoint: https://api.granola.ai/scim/v2/{org-id}
   • Bearer token: Generated in step 2
4. Map IdP groups to Granola workspaces and roles:

IdP Group	Granola Workspace	Role
granola-engineering	Engineering	Member
granola-engineering-leads	Engineering	Admin
granola-sales	Sales	Member
granola-hr	HR	Member
granola-executives	Executive	Admin

Just-in-Time (JIT) Provisioning: Enable JIT so users are auto-provisioned on first SSO login without manual invitation. Map their IdP groups to workspace membership.

Step 4 — Configure Per-Workspace Integrations

Each workspace can have independent integration configurations:

Workspace	Slack Channel	CRM	Notion Database	Task Tool
Engineering	#eng-meetings	—	Engineering Wiki	Linear
Sales	#sales-notes	HubSpot	Sales Playbook	—
Product	#product-feedback	—	Product Insights	Linear
Customer Success	#cs-updates	Attio	CS Knowledge Base	—
HR	(none)	—	(none)	—
Executive	(none)	—	Private Board DB	—

Configure in each workspace: Settings > Integrations. Each workspace's integrations are independent — connecting Slack in Engineering does not affect Sales.

Step 5 — Set Compliance Controls Per Workspace

Workspace	Data Retention (Notes)	Data Retention (Transcripts)	External Sharing	Audit Logging
Engineering	2 years	90 days	Allowed (admin approval)	On
Sales	1 year	90 days	Allowed (for client follow-up)	On
Product	2 years	90 days	Allowed (admin approval)	On
HR	90 days	30 days	Prohibited	On
Executive	Custom (legal hold)	30 days	Prohibited	On

Sensitive workspace hardening (HR, Executive):

Workspace Settings > Security:
  External sharing: Disabled
  Public links: Disabled
  Link expiration: 7 days (if any sharing enabled)
  MFA required: Yes (beyond SSO)
  Session timeout: 4 hours
  AI training opt-out: Enforced
  IP allowlist: Enabled (office IPs only)

Step 6 — Role Hierarchy and Permissions

Role	Create Notes	Share Internally	Share Externally	Manage Members	Manage Settings
Org Owner	Yes	Yes	Yes	Yes (all workspaces)	Yes (org-level)
Workspace Admin	Yes	Yes	Yes (if policy allows)	Yes (own workspace)	Yes (workspace)
Team Lead	Yes	Yes	Yes (if policy allows)	View only	No
Member	Yes	Yes	No (unless admin approves)	No	No
Viewer	No	Read-only	No	No	No
Guest	No	Single workspace read	No	No	No

Step 7 — Validate and Monitor

Validation checklist:

• All workspaces created with correct owners
• SSO login tested with users from each IdP group
• SCIM sync verified (user added to IdP group → appears in workspace)
• Per-workspace integrations tested with sample meetings
• Compliance settings verified for sensitive workspaces (HR, Executive)
• Cross-workspace search working for admin users
• Audit logs capturing expected events

Ongoing monitoring:

• Monthly: Review workspace membership, deactivate departed users
• Quarterly: Access review across all workspaces (principle of least privilege)
• Annual: Re-certify compliance settings, update retention policies

Output

• Multi-workspace topology deployed and configured
• SSO and SCIM provisioning operational
• Per-workspace integrations connected and tested
• Compliance controls applied with sensitive workspace hardening
• Role hierarchy documented and enforced

Error Handling

Error	Cause	Fix
User lands in wrong workspace	SSO group mapping incorrect	Fix IdP group → workspace mapping
SCIM sync fails	Token expired or endpoint wrong	Regenerate SCIM token, verify endpoint URL
Cross-workspace notes invisible	User not added to target workspace	Add user to workspace or grant Viewer role
Integration not syncing in workspace	Connected to different workspace	Reconnect integration within the correct workspace context
JIT provisioning creates duplicate users	Multiple IdP groups	Consolidate groups, ensure one user maps to one account

Resources

• Granola Enterprise
• Signing In and Calendar Connection
• Sign In with Microsoft
• Security Standards

Next Steps

Proceed to granola-observability for meeting analytics and monitoring.