MCP.directory

windsurf-enterprise-rbac

by jeremylongshore
4
1
Source

Configure Windsurf enterprise SSO, role-based access control, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for Windsurf. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf roles", "windsurf permissions", "windsurf SAML".

Install

mkdir -p .claude/skills/windsurf-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/7418" && unzip -o skill.zip -d .claude/skills/windsurf-enterprise-rbac && rm skill.zip

Installs to .claude/skills/windsurf-enterprise-rbac

About this skill

Windsurf Enterprise RBAC

Overview

Manage enterprise Windsurf deployment: SSO/SAML configuration, role-based seat management, organization-wide AI policies, and admin portal controls. Covers Teams and Enterprise plan features.

Prerequisites

  • Windsurf Teams ($30/user/mo) or Enterprise (custom pricing) plan
  • Organization admin access at windsurf.com/dashboard
  • Identity provider for SSO (Enterprise only): Okta, Entra ID, Google Workspace

Instructions

Step 1: Configure SSO / SAML (Enterprise Only)

Navigate to Admin Dashboard > Security > SSO:

# SSO Configuration Steps
sso_setup:
  1_choose_idp:
    supported: ["Okta", "Microsoft Entra ID", "Google Workspace", "Any SAML 2.0 IdP"]

  2_configure_saml:
    entity_id: "https://windsurf.com/saml/your-org-id"
    acs_url: "https://windsurf.com/saml/callback"
    # Get these from Admin Dashboard > SSO > SAML Configuration

  3_idp_settings:
    # Configure in your IdP:
    sign_on_url: "https://windsurf.com/saml/login/your-org-id"
    audience_uri: "https://windsurf.com/saml/your-org-id"
    name_id_format: "emailAddress"
    attribute_statements:
      email: "user.email"
      firstName: "user.firstName"
      lastName: "user.lastName"

  4_enforce:
    enforce_sso: true  # Block password login after SSO is verified
    auto_provision: true  # New IdP users get Windsurf seats automatically
    domain_restriction: ["yourcompany.com"]  # Only allow company emails

Step 2: Configure Roles and Permissions

# Windsurf RBAC Model
roles:
  owner:
    description: "Organization owner — full control"
    permissions:
      - Manage billing and subscription
      - Add/remove admins
      - Configure SSO
      - View all analytics
      - Manage all seats

  admin:
    description: "Team administrator"
    permissions:
      - Add/remove members
      - Assign seat tiers (Pro, Free)
      - View team analytics
      - Configure org-wide settings
      - Manage MCP server allowlist

  member:
    description: "Standard developer"
    permissions:
      - Use assigned AI features
      - Configure personal settings
      - Create workspace rules
      - Cannot view team analytics

# Assign roles via Admin Dashboard > Members > Edit Role

Step 3: Organization-Wide AI Policies

# Admin Dashboard > Settings > AI Policies
org_policies:
  # Control which AI models are available
  allowed_models:
    - "swe-1"
    - "swe-1-lite"
    - "claude-sonnet"
    # Disable models not approved by security team

  # Terminal command execution controls
  cascade_terminal:
    max_execution_level: "normal"  # Options: turbo, normal, manual
    global_deny_list:
      - "rm -rf"
      - "sudo"
      - "curl | bash"
      - "DROP TABLE"
      - "format"

  # Data controls
  data_policies:
    telemetry: "off"                      # No telemetry for enterprise
    data_retention: "zero"                 # Zero-data retention
    code_context_sharing: "workspace_only" # AI sees only current workspace

  # Feature controls
  feature_flags:
    previews_enabled: true
    mcp_enabled: true
    workflows_enabled: true
    auto_deploy_enabled: false  # Disable direct deployment from IDE

Step 4: Seat Management Workflow

# Seat lifecycle management
seat_management:
  onboarding:
    1. "Admin invites user via Admin Dashboard > Members > Invite"
    2. "User receives email with SSO login link"
    3. "SSO authenticates user with company IdP"
    4. "User gets assigned tier (Pro/Free) based on role"
    5. "User opens project — .windsurfrules provides context"

  offboarding:
    1. "Disable user in IdP (SSO will auto-block)"
    2. "Remove seat in Admin Dashboard > Members"
    3. "Seat becomes available for reassignment"
    4. "User's local memories/config remain on their machine"

  tier_changes:
    upgrade: "Admin Dashboard > Members > Select user > Change to Pro"
    downgrade: "Admin Dashboard > Members > Select user > Change to Free"
    note: "Downgraded users keep Supercomplete, lose Cascade Write mode"

Step 5: Audit and Compliance

# Admin Dashboard > Analytics > Audit
audit_capabilities:
  available:
    - User login events (SSO audit trail)
    - Credit usage per user per day
    - Feature usage patterns
    - Seat assignment changes
    - Admin actions

  exportable:
    - CSV export of member usage
    - API access for SIEM integration (Enterprise)

  compliance_certifications:
    - SOC 2 Type II
    - FedRAMP High
    - HIPAA BAA (on request)
    - GDPR compliant

Step 6: Service Keys for API Access (Enterprise)

# For programmatic access to admin APIs
service_keys:
  purpose: "CI/CD integration, usage reporting, automated provisioning"
  create: "Admin Dashboard > Settings > Service Keys > Create"
  scopes:
    - "admin:read" — read analytics and member data
    - "admin:write" — manage members and settings
    - "usage:read" — read usage metrics
  rotation: "Rotate every 90 days, revoke immediately on compromise"

Error Handling

IssueCauseSolution
SSO login failsSAML certificate expiredUpdate certificate in IdP and Windsurf
User can't access CascadeNo Pro seat assignedAssign Pro tier in Admin Dashboard
Admin can't see analyticsWrong roleUpgrade to admin role in Dashboard
New user auto-provisioned to wrong tierDefault tier not setConfigure default seat tier in Settings
Service key rejectedExpired or wrong scopeGenerate new key with correct scopes

Examples

Quick Admin Dashboard Tasks

Add user: Admin Dashboard > Members > Invite > [email protected]
Remove user: Members > Select > Remove from organization
Change tier: Members > Select > Change Plan > Pro/Free
View usage: Analytics > Overview (or per-member view)

Team Structure Example

engineering_org:
  platform_team:
    seats: 8
    tier: Pro
    admins: ["[email protected]"]

  frontend_team:
    seats: 6
    tier: Pro
    admins: ["[email protected]"]

  design_team:
    seats: 3
    tier: Free  # Mainly CSS, limited AI use

  contractors:
    seats: 4
    tier: Free
    note: "Temporary, upgrade to Pro if AI use increases"

Resources

Next Steps

For migration strategies, see windsurf-migration-deep-dive.

More by jeremylongshore

View all skills by jeremylongshore

svg-icon-generator

jeremylongshore

Svg Icon Generator - Auto-activating skill for Visual Content. Triggers on: svg icon generator, svg icon generator Part of the Visual Content skill category.

12244

d2-diagram-creator

jeremylongshore

D2 Diagram Creator - Auto-activating skill for Visual Content. Triggers on: d2 diagram creator, d2 diagram creator Part of the Visual Content skill category.

10938

automating-mobile-app-testing

jeremylongshore

This skill enables automated testing of mobile applications on iOS and Android platforms using frameworks like Appium, Detox, XCUITest, and Espresso. It generates end-to-end tests, sets up page object models, and handles platform-specific elements. Use this skill when the user requests mobile app testing, test automation for iOS or Android, or needs assistance with setting up device farms and simulators. The skill is triggered by terms like "mobile testing", "appium", "detox", "xcuitest", "espresso", "android test", "ios test".

21836

performing-penetration-testing

jeremylongshore

This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.

5823

designing-database-schemas

jeremylongshore

Design and visualize efficient database schemas, normalize data, map relationships, and generate ERD diagrams and SQL statements.

12619

optimizing-sql-queries

jeremylongshore

This skill analyzes and optimizes SQL queries for improved performance. It identifies potential bottlenecks, suggests optimal indexes, and proposes query rewrites. Use this when the user mentions "optimize SQL query", "improve SQL performance", "SQL query optimization", "slow SQL query", or asks for help with "SQL indexing". The skill helps enhance database efficiency by analyzing query structure, recommending indexes, and reviewing execution plans.

5814

You might also like

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

1,5551,556

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

1,8241,482

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

1,7041,234

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

1,604898

pdf-to-markdown

aliceisjustplaying

Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.

1,884835

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

1,434791

Related MCP Servers

Browse all servers
MagicMagic

Create modern React UI components instantly with Magic AI Agent. Integrates with top IDEs for fast, stunning design and

4,3850 tools
SlackSlack

Powerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data

1,4290 tools
Azure AllAzure All

Supercharge AI platforms with Azure MCP Server for seamless Azure API Management and resource automation. Public Preview

1,20847 tools
NetlifyNetlify

Effortlessly manage Netlify projects with AI using the Netlify MCP Server—automate deployment, sites, and more via natur

389 tools
Okta MCP ServerOkta MCP Server

Official Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag

240 tools
Docy (Documentation Access)Docy (Documentation Access)

Docy (Documentation Access) delivers real-time search and navigation of technical documentation without leaving your con

180 tools