posthog-enterprise-rbac
Configure PostHog enterprise SSO, role-based access control, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for PostHog. Trigger with phrases like "posthog SSO", "posthog RBAC", "posthog enterprise", "posthog roles", "posthog permissions", "posthog SAML".
Install
mkdir -p .claude/skills/posthog-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/3833" && unzip -o skill.zip -d .claude/skills/posthog-enterprise-rbac && rm skill.zipInstalls to .claude/skills/posthog-enterprise-rbac
About this skill
PostHog Enterprise RBAC
Overview
PostHog access control uses a three-level hierarchy: Organization > Project > Resource. Organizations contain multiple projects (e.g., production, staging), and each project has its own data, feature flags, and dashboards. Members are assigned roles at the organization level and can be restricted to specific projects.
Prerequisites
- PostHog Cloud or self-hosted with enterprise license
- Organization admin role
- Multiple projects configured (one per environment)
Access Control Model
| Level | Scope | Controls |
|---|---|---|
| Organization | All projects | Member management, billing, SSO enforcement |
| Project | Single project | Feature flags, insights, dashboards, session recordings |
| API Key | Scoped operations | Personal API key with specific scopes |
Member Roles:
| Role | Level | Permissions |
|---|---|---|
| Owner | 15 | Full admin, billing, delete org |
| Admin | 8 | Manage members, all project settings |
| Member | 1 | View/create insights, flags, recordings |
Instructions
Step 1: Set Up Project-Level Access
set -euo pipefail
# Create a production project with access control
curl -X POST "https://app.posthog.com/api/organizations/$ORG_ID/projects/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "Production", "access_control": true}'
# Add a member to a specific project (level 1 = Member, 8 = Admin)
curl -X POST "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{"user_id": "USER_UUID", "level": 1}'
# List current project members
curl "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '.results[] | {email: .user.email, level, joined_at}'
Step 2: Create Scoped API Keys
set -euo pipefail
# Read-only key for BI dashboard integration
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "bi-dashboard-readonly",
"scopes": ["insight:read", "dashboard:read", "query:read"]
}'
# Feature flag service key (read + write flags only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "flag-service",
"scopes": ["feature_flag:read", "feature_flag:write"]
}'
# Event export key (read events only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "data-export-readonly",
"scopes": ["event:read", "query:read"]
}'
# List all personal API keys
curl "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '.[] | {id, label, scopes, created_at}'
Step 3: Configure SSO (Enterprise)
PostHog enterprise supports SAML 2.0 SSO. Configuration is in Organization Settings > Authentication:
- Enable SAML: Add your IdP metadata URL (e.g., Okta, Azure AD, Google Workspace)
- Enforce SSO: Toggle "Enforce SSO" to require all members to authenticate via IdP
- Auto-provisioning: New IdP users are automatically created in PostHog with Member role
- Group mapping: Map IdP groups to PostHog organization roles
set -euo pipefail
# Check SSO configuration status
curl "https://app.posthog.com/api/organizations/$ORG_ID/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '{
enforce_sso: .enforce_sso,
saml_configured: (.saml_enforcement != null),
member_count: .membership_count
}'
Step 4: Audit Access and Changes
set -euo pipefail
# View recent activity log for permission changes
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=Organization" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '[.results[] | select(.activity | contains("member") or contains("role") or contains("api_key")) | {
user: .user.email,
activity,
detail: .detail,
created_at
}] | .[:10]'
# View feature flag changes (who changed what)
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=FeatureFlag" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '[.results[:10][] | {
user: .user.email,
activity,
item_id: .item_id,
created_at
}]'
Step 5: Access Matrix
# Recommended access matrix
access_matrix:
engineering:
staging_project:
role: admin # Full control in staging
can_create_flags: true
can_delete_flags: true
production_project:
role: member # Read + create, no delete in prod
can_create_flags: true
can_delete_flags: false # Require admin approval for flag deletion
product:
staging_project:
role: member
can_view_recordings: true
can_create_insights: true
production_project:
role: member
can_view_recordings: true
can_create_insights: true
bi_service_account:
production_project:
api_key_scopes: [insight:read, dashboard:read, query:read]
# No write access
flag_service_account:
production_project:
api_key_scopes: [feature_flag:read, feature_flag:write]
# Only flag operations
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| 403 on feature flag endpoint | Key missing required scope | Create key with feature_flag:read scope |
| Member sees prod data | Project access not restricted | Remove from prod project, add to staging only |
| SSO bypass possible | SSO not enforced | Enable "Enforce SSO" in org settings |
| Can't create scoped key | Not org admin | Only admins can create API keys |
| Activity log gaps | Self-hosted log rotation | Increase log retention in PostHog config |
Output
- Project-level member access configured
- Scoped API keys for services (BI, flag service, export)
- SSO/SAML enforcement enabled
- Activity audit log queries
- Access matrix documented
Resources
Next Steps
For migration strategies, see posthog-migration-deep-dive.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
SlackPowerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data
Azure AllSupercharge AI platforms with Azure MCP Server for seamless Azure API Management and resource automation. Public Preview
NetlifyEffortlessly manage Netlify projects with AI using the Netlify MCP Server—automate deployment, sites, and more via natur
Okta MCP ServerOfficial Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag
Docy (Documentation Access)Docy (Documentation Access) delivers real-time search and navigation of technical documentation without leaving your con
Windows ScreenshotsEasily access and manage Windows Screenshots from WSL2. List and retrieve screenshots with metadata, paths, or base64 co
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.