sentry-enterprise-rbac
Configure enterprise role-based access control in Sentry. Use when setting up team permissions, SSO integration, or managing organizational access. Trigger with phrases like "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup".
Install
mkdir -p .claude/skills/sentry-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/7954" && unzip -o skill.zip -d .claude/skills/sentry-enterprise-rbac && rm skill.zipInstalls to .claude/skills/sentry-enterprise-rbac
About this skill
Sentry Enterprise RBAC
Overview
Configure Sentry's Organization-Team-Project hierarchy, role assignments, SSO/SAML2 federation, SCIM automated provisioning, API token governance, and audit logging. Covers the full enterprise access control lifecycle from initial setup through ongoing compliance monitoring.
Prerequisites
- Sentry Business or Enterprise plan — team-level roles, SSO, SCIM, and audit logs require Business tier or higher
- Organization Owner or Manager role — only these roles can configure auth, teams, and member roles
- Identity Provider access — admin credentials for Okta, Azure AD, or Google Workspace if configuring SSO/SCIM
- Environment variables set:
export SENTRY_AUTH_TOKEN="sntrys_..." # Auth token with org:admin, member:admin, team:admin scopes export SENTRY_ORG="your-org-slug" # Organization slug from sentry.io/settings/
Instructions
Step 1 — Establish the Organization-Team-Project Hierarchy
Sentry's access model flows top-down: Organization > Teams > Projects. Members inherit permissions from their org-level role, then gain project access through team membership.
Organization-level roles define the ceiling of what a member can do:
| Role | Capabilities | Typical Use |
|---|---|---|
| Owner | Full control: billing, auth, members, all settings. Irremovable. | Founding eng, CTO |
| Manager | Manage all teams, projects, and members. No billing access. | Engineering managers |
| Admin | Manage integrations, projects, teams. No member management. | Tech leads, DevOps |
| Member | View data, act on issues, join/leave teams. Default for new users. | Individual contributors |
| Billing | Payment and subscription management only. No technical access. | Finance team |
Team-level roles (Business/Enterprise only) add granularity within teams:
| Team Role | Additional Capabilities |
|---|---|
| Team Admin | Manage team membership, add/remove projects from the team |
| Contributor | View and act on issues in the team's projects |
A member's effective permissions are the union of their org-level role and all team-level roles they hold. A Member with Team Admin on "payments-team" can manage that team but cannot touch org-wide settings.
Create the team structure:
# Create a team
curl -s -X POST \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"slug": "backend-eng", "name": "Backend Engineering"}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/teams/" | jq '{slug, name, dateCreated}'
# List all teams with member counts
curl -s -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/teams/" \
| jq '.[] | {slug, memberCount, hasAccess}'
# Assign a project to a team (grants team members access to that project)
curl -s -X POST \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/projects/$SENTRY_ORG/payment-api/teams/backend-eng/"
# Remove a team's access to a project
curl -s -X DELETE \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/projects/$SENTRY_ORG/payment-api/teams/backend-eng/"
# List which teams have access to a project
curl -s -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/projects/$SENTRY_ORG/payment-api/teams/" \
| jq '.[].slug'
Manage team membership:
# List organization members (get MEMBER_ID values)
curl -s -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/members/" \
| jq '.[] | {id, email, role, expired}'
# Add a member to a team
curl -s -X POST \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/members/$MEMBER_ID/teams/backend-eng/"
# Remove a member from a team
curl -s -X DELETE \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/members/$MEMBER_ID/teams/backend-eng/"
# Update a member's organization role
curl -s -X PUT \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"role": "admin"}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/members/$MEMBER_ID/"
Step 2 — Configure SSO/SAML2 and SCIM Provisioning
SSO centralizes authentication; SCIM automates the user lifecycle. Configure SSO first, then layer SCIM on top.
SSO/SAML2 setup — Okta example:
- In Okta Admin Console, create a new SAML 2.0 application
- Set the Single Sign-On URL to:
https://sentry.io/saml/acs/{org_slug}/ - Set the Audience URI (SP Entity ID) to:
https://sentry.io/saml/metadata/{org_slug}/ - Configure attribute statements:
Name Value emailuser.emailfirstNameuser.firstNamelastNameuser.lastName - Download the IdP metadata XML or copy the metadata URL
SSO/SAML2 setup — Azure AD:
- In Azure Portal > Enterprise Applications, add Sentry from the gallery
- Configure SAML SSO with Reply URL:
https://sentry.io/saml/acs/{org_slug}/ - Set Identifier (Entity ID):
https://sentry.io/saml/metadata/{org_slug}/ - Map claims:
emailaddress,givenname,surname - Download the Federation Metadata XML
SSO/SAML2 setup — Google Workspace:
- In Google Admin > Apps > SAML Apps, add a custom SAML app for Sentry
- Set ACS URL:
https://sentry.io/saml/acs/{org_slug}/ - Set Entity ID:
https://sentry.io/saml/metadata/{org_slug}/ - Map
email,firstName,lastNameattributes - Download the IdP metadata
Activate in Sentry:
- Navigate to Organization Settings > Auth
- Click Configure next to SAML2
- Enter the IdP metadata URL or upload the metadata XML
- Click Save then Test SSO Login — verify it redirects and authenticates correctly
- Enable Require SSO to enforce SSO for all organization members
- Optionally set a Default Role for SSO-provisioned users (typically Member)
SCIM provisioning automates user creation, deactivation, and group sync:
SCIM Base URL: https://sentry.io/api/0/organizations/{org_slug}/scim/v2/
Authentication: Bearer token (generated in Sentry's SCIM settings page)
# Provision a new user via SCIM
curl -s -X POST \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "engineer@company.com",
"name": {"givenName": "Jane", "familyName": "Doe"},
"emails": [{"primary": true, "value": "engineer@company.com", "type": "work"}],
"active": true
}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/scim/v2/Users"
# List SCIM-provisioned users
curl -s -H "Authorization: Bearer $SCIM_TOKEN" \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/scim/v2/Users?count=100" \
| jq '.Resources[] | {id, userName, active}'
# Deactivate a user via SCIM (sets active to false)
curl -s -X PATCH \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{"op": "replace", "value": {"active": false}}]
}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/scim/v2/Users/$SCIM_USER_ID"
# Sync IdP groups to Sentry teams via SCIM Groups
curl -s -X POST \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "backend-eng",
"members": []
}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/scim/v2/Groups"
SCIM capabilities once connected:
- Auto-create users when assigned in the IdP
- Auto-deactivate users when removed from the IdP group
- Sync team membership from IdP groups to Sentry teams
- No manual user management — the IdP becomes the single source of truth
Step 3 — API Token Governance and Audit Logging
API token scopes — always apply the principle of least privilege:
| Scope | Access Level | Typical Use Case |
|---|---|---|
project:read | Read project settings and stats | Monitoring dashboards |
project:write | Update project settings | Automation scripts |
project:releases | Create releases, upload source maps | CI/CD pipelines |
event:read | Read error/transaction events | Alerting integrations |
event:write | Update/resolve events | Automated triage bots |
org:read | Read organization data | Reporting tools |
org:write | Update organization settings | Admin automation |
member:read | List organization members | Directory sync |
member:write | Manage members and invites | Onboarding automation |
team:read | List teams | Discovery scripts |
team:write | Create/update/delete teams | Team provisioning |
Create and manage API tokens:
# Create a new auth token via API
curl -s -X POST \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"scopes": ["project:read", "project:releases", "org:read"],
"name": "ci-cd-pipeline-prod"
}' \
"https://sentry.io/api/0/api-tokens/"
# List all active auth tokens
curl -s -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/api-tokens/" \
| jq '.[] | {id, name, scopes, dateCreated}'
# Delete a token by ID
curl -s -X DELETE \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/api-tokens/$TOKEN_ID/"
Token hygiene best practices:
- CI/CD tokens:
project:releases+org:readonly — the minimum for deploys - Monitoring tokens:
event:read+project:read— read-only for dashboards - Admin tokens: Use sparingly, rotate quarterly, limit to one or two Owners
- Naming convention: `{purpose}
Content truncated.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
NetlifyEffortlessly manage Netlify projects with AI using the Netlify MCP Server—automate deployment, sites, and more via natur
Okta MCP ServerOfficial Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag
Chrome DevToolsUse Chrome DevTools for web site test speed, debugging, and performance analysis. The essential chrome developer tools f
BlenderConnect Blender to Claude AI for seamless 3D modeling. Use AI 3D model generator tools for faster, intuitive, interactiv
Chrome MCPChrome extension-based MCP server that exposes browser functionality to AI assistants. Control tabs, capture screenshots
Exa SearchEmpower AI with the Exa MCP Server—an AI research tool for real-time web search, academic data, and smarter, up-to-date
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.