obsidian-enterprise-rbac
Implement team vault access patterns and role-based controls. Use when managing shared vaults, implementing access controls, or building team collaboration features for Obsidian. Trigger with phrases like "obsidian team", "obsidian access control", "obsidian enterprise", "shared vault permissions".
Install
mkdir -p .claude/skills/obsidian-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6887" && unzip -o skill.zip -d .claude/skills/obsidian-enterprise-rbac && rm skill.zipInstalls to .claude/skills/obsidian-enterprise-rbac
About this skill
Obsidian Enterprise RBAC
Overview
Vault-level access control patterns for Obsidian in team environments. Covers folder-based permissions via .obsidian-permissions files, read-only enforcement for shared vaults, plugin allowlisting, and configuration lockdown through restricted mode.
Prerequisites
- Obsidian desktop app with a shared/synced vault
- Understanding of Obsidian's
.obsidian/configuration directory - A sync mechanism in place (Git, Obsidian Sync, or shared filesystem)
- Node.js 18+ for scripted permission enforcement
Instructions
Step 1: Define a Permission Model
Create .obsidian-permissions at the vault root. This JSON file maps roles to folder access:
{
"version": 1,
"roles": {
"admin": {
"folders": ["*"],
"permissions": ["read", "write", "delete", "manage"]
},
"editor": {
"folders": ["projects/*", "shared/*", "templates/*"],
"permissions": ["read", "write"]
},
"viewer": {
"folders": ["shared/*", "published/*"],
"permissions": ["read"]
}
},
"users": {
"alice@company.com": "admin",
"bob@company.com": "editor",
"charlie@company.com": "viewer"
}
}
Obsidian itself has no built-in RBAC, so this file is consumed by a custom plugin that intercepts file operations.
Step 2: Build the Permission Checker Plugin
Create a plugin that reads .obsidian-permissions and gates vault operations:
import { Plugin, TFile, Notice } from 'obsidian';
interface PermissionConfig {
version: number;
roles: Record<string, { folders: string[]; permissions: string[] }>;
users: Record<string, string>;
}
export default class RBACPlugin extends Plugin {
private config: PermissionConfig | null = null;
private currentUser: string = '';
async onload() {
await this.loadPermissions();
// Intercept file modifications
this.registerEvent(
this.app.vault.on('modify', (file) => {
if (!this.canWrite(file.path)) {
new Notice(`Permission denied: ${file.path} is read-only for your role`);
}
})
);
// Intercept file creation
this.registerEvent(
this.app.vault.on('create', (file) => {
if (file instanceof TFile && !this.canWrite(file.parent?.path ?? '/')) {
new Notice(`Permission denied: cannot create files in ${file.parent?.path}`);
// Move to user's writable area or delete
this.app.vault.delete(file);
}
})
);
}
private async loadPermissions() {
const permFile = this.app.vault.getAbstractFileByPath('.obsidian-permissions');
if (permFile instanceof TFile) {
const content = await this.app.vault.read(permFile);
this.config = JSON.parse(content);
}
// Identify current user from plugin settings or environment
const data = await this.loadData();
this.currentUser = data?.userEmail ?? '';
}
private canWrite(path: string): boolean {
if (!this.config || !this.currentUser) return true; // Fail open if no config
const role = this.config.users[this.currentUser];
if (!role) return false;
const roleDef = this.config.roles[role];
if (!roleDef) return false;
if (!roleDef.permissions.includes('write')) return false;
return roleDef.folders.some(pattern => {
if (pattern === '*') return true;
const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
return regex.test(path);
});
}
}
Step 3: Enforce Read-Only Mode on Shared Vaults
For vaults where most users should only read, set restricted mode in .obsidian/app.json:
{
"strictLineBreaks": false,
"readableLineLength": true,
"vimMode": false,
"livePreview": true
}
Then in your RBAC plugin, enforce read-only for non-editor roles by overriding the editor:
// In onload(), after permission check:
if (!this.canWrite('/')) {
// Disable editing commands
this.registerEvent(
this.app.workspace.on('editor-change', (editor) => {
// Revert changes for read-only users
editor.undo();
new Notice('This vault is read-only for your role.');
})
);
}
Step 4: Plugin Allowlisting
Lock down which community plugins can be enabled. Edit .obsidian/community-plugins.json to contain only approved plugins:
["obsidian-git", "dataview", "templater-obsidian", "your-rbac-plugin"]
Then protect this file from modification by non-admins. In your RBAC plugin, watch for changes:
this.registerEvent(
this.app.vault.on('modify', async (file) => {
if (file.path === '.obsidian/community-plugins.json') {
const role = this.config?.users[this.currentUser];
if (role !== 'admin') {
// Restore the approved list
const approved = await this.loadData();
await this.app.vault.modify(
file as TFile,
JSON.stringify(approved.allowedPlugins)
);
new Notice('Only admins can modify the plugin allowlist.');
}
}
})
);
Step 5: Configuration Lockdown via Restricted Mode
Obsidian's restricted mode disables all community plugins. For enterprise deployments, combine this with a config lockdown:
// Store a hash of critical config files at deploy time
const LOCKED_CONFIGS = [
'.obsidian/app.json',
'.obsidian/appearance.json',
'.obsidian/hotkeys.json',
'.obsidian/community-plugins.json',
];
async lockdownConfigs() {
const hashes: Record<string, string> = {};
for (const path of LOCKED_CONFIGS) {
const file = this.app.vault.getAbstractFileByPath(path);
if (file instanceof TFile) {
const content = await this.app.vault.read(file);
hashes[path] = await this.hash(content);
}
}
await this.saveData({ ...await this.loadData(), configHashes: hashes });
}
async verifyConfigs(): Promise<string[]> {
const data = await this.loadData();
const violations: string[] = [];
for (const [path, expectedHash] of Object.entries(data.configHashes ?? {})) {
const file = this.app.vault.getAbstractFileByPath(path);
if (file instanceof TFile) {
const content = await this.app.vault.read(file);
const actual = await this.hash(content);
if (actual !== expectedHash) {
violations.push(path);
}
}
}
return violations;
}
private async hash(content: string): Promise<string> {
const encoder = new TextEncoder();
const data = encoder.encode(content);
const buf = await crypto.subtle.digest('SHA-256', data);
return Array.from(new Uint8Array(buf)).map(b => b.toString(16).padStart(2, '0')).join('');
}
Run verifyConfigs() on plugin load and periodically. Alert admins if violations are detected.
Output
.obsidian-permissionsfile defining roles, folder access, and user mappings- RBAC plugin that intercepts create/modify/delete operations
- Read-only enforcement for non-editor roles
- Plugin allowlist protection in
community-plugins.json - Configuration lockdown with hash verification for critical
.obsidian/files
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| Permission denied on all files | User email not set in plugin settings | Open RBAC plugin settings, enter your email |
| Allowlist keeps resetting | Non-admin edited community-plugins.json | Only admins can modify; check audit log |
| Config hash mismatch on every load | Config changed legitimately | Admin runs lockdownConfigs() to update hashes |
| Plugin not intercepting writes | Event handler registration failed | Check console for plugin load errors |
Sync conflicts on .obsidian-permissions | Multiple admins editing simultaneously | Use Git with merge strategy or Obsidian Sync |
Examples
Team vault with three roles: Deploy the .obsidian-permissions file above. Set each user's email in the RBAC plugin settings. Editors can modify projects/ and shared/ folders; viewers can only read shared/ and published/.
Locked-down training vault: Set all users to viewer role except instructors (editor). Lock config files with lockdownConfigs(). Students can read all materials but cannot modify notes or install plugins.
Plugin governance: Maintain an allowlist of 5 approved plugins in community-plugins.json. The RBAC plugin reverts any unauthorized additions. New plugin requests go through admin approval.
Resources
- Obsidian Plugin API - Vault Events
- Obsidian Sync for Teams
- RBAC Concepts
- Obsidian Git Plugin -- version control for shared vaults
Next Steps
For data backup and sync patterns, see obsidian-data-handling. For multi-environment testing of RBAC rules, see obsidian-multi-env-setup.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
Figma ContextUnlock seamless Figma to code: streamline Figma to HTML with Framelink MCP Server for fast, accurate design-to-code work
ObsidianEasily access and modify notes in your Obsidian vaults using a REST API. Integrate Obsidian features seamlessly into you
Microsoft MCP ServersCatalog of official Microsoft MCP server implementations. Access Azure, Microsoft 365, Dynamics 365, Power Platform, and
shadcn/uiAccess shadcn/ui v4 components, blocks, and demos for rapid React UI library development. Seamless integration and sourc
Microsoft DocsAccess official Microsoft Docs instantly for up-to-date info. Integrates with ms word and ms word online for seamless wo
Read MySQLSecurely join MySQL databases with Read MySQL for read-only query access and in-depth data analysis.
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.