lokalise-enterprise-rbac
Configure Lokalise enterprise SSO, role-based access control, and team management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for Lokalise. Trigger with phrases like "lokalise SSO", "lokalise RBAC", "lokalise enterprise", "lokalise roles", "lokalise permissions", "lokalise team".
Install
mkdir -p .claude/skills/lokalise-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6893" && unzip -o skill.zip -d .claude/skills/lokalise-enterprise-rbac && rm skill.zipInstalls to .claude/skills/lokalise-enterprise-rbac
About this skill
Lokalise Enterprise RBAC
Overview
Manage fine-grained access to Lokalise translation projects using its built-in role hierarchy, language-level scoping, contributor groups, and organization-level SSO enforcement. Lokalise has four core roles — owner, admin, manager-level (via admin_rights), and contributor (translator/reviewer) — each configurable per project and per language.
Prerequisites
- Lokalise Team or Enterprise plan (contributor groups and SSO require Team+)
- Owner or Admin role in the Lokalise organization
LOKALISE_API_TOKENenvironment variable set (admin-level token)@lokalise/node-apiSDK orcurl+jqfor REST API access
Instructions
Step 1: Understand the Role Hierarchy
Lokalise uses a flat role model per project, controlled by three boolean flags on each contributor:
| Role | is_admin | is_reviewer | Can translate | Can review | Can manage keys | Can manage contributors |
|---|---|---|---|---|---|---|
| Admin | true | true | Yes | Yes | Yes | Yes |
| Manager | false | true | Yes | Yes | Limited (via admin_rights) | No |
| Reviewer | false | true | Yes | Yes | No | No |
| Translator | false | false | Yes | No | No | No |
At the team level, users are either admin or member. Team admins can create projects and manage billing. Team members can only access projects they are explicitly added to.
Step 2: Add Contributors with Language Scoping
import { LokaliseApi } from '@lokalise/node-api';
const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! });
// Add a translator restricted to French and Spanish only
await lok.contributors().create(PROJECT_ID, [{
email: '[email protected]',
fullname: 'Marie Dupont',
is_admin: false,
is_reviewer: false,
languages: [
{ lang_iso: 'fr', is_writable: true },
{ lang_iso: 'es', is_writable: true },
],
}]);
// Add a reviewer who can review all languages but only translate German
await lok.contributors().create(PROJECT_ID, [{
email: '[email protected]',
fullname: 'Hans Mueller',
is_admin: false,
is_reviewer: true,
languages: [
{ lang_iso: 'de', is_writable: true },
{ lang_iso: 'fr', is_writable: false }, // Can review but not edit
{ lang_iso: 'es', is_writable: false },
],
}]);
Step 3: Manage Team-Level Users and Roles
set -euo pipefail
TEAM_ID="YOUR_TEAM_ID"
# List all team members with their roles
curl -s -X GET "https://api.lokalise.com/api2/teams/${TEAM_ID}/users" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
| jq '.team_users[] | {user_id: .user_id, email: .email, role: .role}'
# Demote a user from admin to member
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/users/USER_ID" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"role": "member"}'
Step 4: Create Contributor Groups for Bulk Management
Groups let you assign the same permissions to multiple people at once. When you add a user to a group, they inherit the group's language scope and role across all projects the group is assigned to.
set -euo pipefail
TEAM_ID="YOUR_TEAM_ID"
# Create a group for APAC translators
curl -s -X POST "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "APAC Translators",
"is_reviewer": false,
"is_admin": false,
"admin_rights": [],
"languages": [
{"lang_iso": "ja", "is_writable": true},
{"lang_iso": "ko", "is_writable": true},
{"lang_iso": "zh_CN", "is_writable": true}
]
}'
# Add a member to the group
GROUP_ID=$(curl -s "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
| jq -r '.groups[] | select(.name == "APAC Translators") | .group_id')
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/members/add" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"users": [12345, 67890]}'
# Assign the group to specific projects
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/projects/add" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"projects": ["PROJECT_ID_1", "PROJECT_ID_2"]}'
Step 5: Configure SSO (Enterprise Plan Only)
SSO is configured in the Lokalise dashboard, not via API. Map your IdP groups to Lokalise roles:
- Navigate to Organization Settings > Single Sign-On
- Select SAML 2.0 and enter your IdP metadata URL
- Map IdP groups to Lokalise roles:
Engineering-Localization-> AdminTranslators-EMEA-> Contributor group "EMEA Translators"Product-Managers-> Reviewer
- Enable Enforce SSO to block password-based login for all org members
- Set Default Role for new SSO users (recommend: member with no project access)
ACS URL format: https://app.lokalise.com/sso/saml/YOUR_TEAM_ID/callback
Step 6: Audit Permissions Regularly
import { LokaliseApi } from '@lokalise/node-api';
const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! });
async function auditPermissions() {
const projects = await lok.projects().list({ limit: 100 });
const report: Array<{project: string; issue: string; detail: string}> = [];
for (const proj of projects.items) {
const contributors = await lok.contributors().list({
project_id: proj.project_id,
limit: 500,
});
// Flag: too many admins
const admins = contributors.items.filter(c => c.is_admin);
if (admins.length > 3) {
report.push({
project: proj.name,
issue: 'Excessive admins',
detail: `${admins.length} admins: ${admins.map(a => a.email).join(', ')}`,
});
}
// Flag: contributors with no language scope (can see all languages)
const unscopedTranslators = contributors.items.filter(
c => !c.is_admin && (!c.languages || c.languages.length === 0)
);
if (unscopedTranslators.length > 0) {
report.push({
project: proj.name,
issue: 'Unscoped contributors',
detail: `${unscopedTranslators.length} users can access all languages`,
});
}
// Respect rate limit
await new Promise(r => setTimeout(r, 200));
}
console.table(report);
return report;
}
await auditPermissions();
Step 7: Set Up Webhook for Access Change Notifications
set -euo pipefail
# Get notified when contributors are added or removed
curl -s -X POST "https://api.lokalise.com/api2/projects/${PROJECT_ID}/webhooks" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"url": "https://hooks.company.com/lokalise-audit",
"events": [
"project.contributor_added",
"project.contributor_deleted",
"project.contributor_added_to_language",
"project.contributor_deleted_from_language"
]
}'
Output
- Contributors added with explicit language scoping (no unscoped access)
- Contributor groups created for bulk role management across projects
- Team-level roles configured (admin vs. member distinction)
- SSO configured with IdP group-to-role mapping (Enterprise)
- Audit script identifying over-privileged users and unscoped contributors
- Webhook configured for access change notifications
Error Handling
| Issue | Cause | Solution |
|---|---|---|
403 on contributor create | Caller lacks Admin role on the project | Use an admin-level token or get elevated by an Owner |
| Translator sees all languages | No languages array set on contributor | Update contributor with explicit language scope array |
| SSO login loop | Mismatched ACS URL | Verify ACS URL matches https://app.lokalise.com/sso/saml/TEAM_ID/callback exactly |
| Cannot remove Owner | Last owner protection | Transfer ownership to another admin first |
400 on group create | admin_rights contains invalid values | Valid values: activity, statistics, settings, manage_keys, manage_screenshots, manage_languages, manage_contributors |
| Group members don't see project | Group not assigned to the project | Use the groups/projects/add endpoint to link them |
Examples
List All Contributors Across All Projects
set -euo pipefail
# Quick CSV export of all contributors and their roles
curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
"https://api.lokalise.com/api2/projects?limit=100" \
| jq -r '.projects[].project_id' \
| while read -r pid; do
curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
"https://api.lokalise.com/api2/projects/${pid}/contributors?limit=500" \
| jq -r --arg pid "$pid" '.contributors[] | [$pid, .email, (.is_admin|tostring), (.is_reviewer|tostring), (.languages|length|tostring)] | @csv'
sleep 0.2
done | sort -t, -k2
Principle of Least Privilege Setup
For a typical project with 3 languages (en, fr, de):
// Product team: admin access for key management
await lok.contributors().create(PROJECT_ID, [{
email: '[email protected]', fullname: 'PM', is_admin: true, is_reviewer: true, languages: [],
}]);
// French translator: only French, translate only
await lok.contributors().create(PROJECT_ID, [{
email: '[email protected]', fullname: 'FR Translator', is_admin: false, is_reviewer: false,
languages: [{ lang_iso: 'fr', is_writable: true }],
}]);
// German reviewer: German write + French read-only for reference
await lok.contributors().create(PROJECT_ID, [{
email: '[email protected]', fullname: 'DE Reviewer', is_admin: false, is_reviewer: true,
languages: [
{ lang_iso: 'de', is_writable: true },
{ lang_iso: 'fr', is_writable: false },
],
}]);
Resources
- [Lokalise Contributors API](https://developers.lokalise.com/reference/
Content truncated.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
pdf-to-markdown
aliceisjustplaying
Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.
Related MCP Servers
Browse all servers
SlackPowerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data
Azure AllSupercharge AI platforms with Azure MCP Server for seamless Azure API Management and resource automation. Public Preview
NetlifyEffortlessly manage Netlify projects with AI using the Netlify MCP Server—automate deployment, sites, and more via natur
Okta MCP ServerOfficial Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag
Docy (Documentation Access)Docy (Documentation Access) delivers real-time search and navigation of technical documentation without leaving your con
Windows ScreenshotsEasily access and manage Windows Screenshots from WSL2. List and retrieve screenshots with metadata, paths, or base64 co