windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, role-based access control, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for Windsurf. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf roles", "windsurf permissions", "windsurf SAML".
Install
mkdir -p .claude/skills/windsurf-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/7418" && unzip -o skill.zip -d .claude/skills/windsurf-enterprise-rbac && rm skill.zipInstalls to .claude/skills/windsurf-enterprise-rbac
About this skill
Windsurf Enterprise RBAC
Overview
Manage enterprise Windsurf deployment: SSO/SAML configuration, role-based seat management, organization-wide AI policies, and admin portal controls. Covers Teams and Enterprise plan features.
Prerequisites
- Windsurf Teams ($30/user/mo) or Enterprise (custom pricing) plan
- Organization admin access at windsurf.com/dashboard
- Identity provider for SSO (Enterprise only): Okta, Entra ID, Google Workspace
Instructions
Step 1: Configure SSO / SAML (Enterprise Only)
Navigate to Admin Dashboard > Security > SSO:
# SSO Configuration Steps
sso_setup:
1_choose_idp:
supported: ["Okta", "Microsoft Entra ID", "Google Workspace", "Any SAML 2.0 IdP"]
2_configure_saml:
entity_id: "https://windsurf.com/saml/your-org-id"
acs_url: "https://windsurf.com/saml/callback"
# Get these from Admin Dashboard > SSO > SAML Configuration
3_idp_settings:
# Configure in your IdP:
sign_on_url: "https://windsurf.com/saml/login/your-org-id"
audience_uri: "https://windsurf.com/saml/your-org-id"
name_id_format: "emailAddress"
attribute_statements:
email: "user.email"
firstName: "user.firstName"
lastName: "user.lastName"
4_enforce:
enforce_sso: true # Block password login after SSO is verified
auto_provision: true # New IdP users get Windsurf seats automatically
domain_restriction: ["yourcompany.com"] # Only allow company emails
Step 2: Configure Roles and Permissions
# Windsurf RBAC Model
roles:
owner:
description: "Organization owner — full control"
permissions:
- Manage billing and subscription
- Add/remove admins
- Configure SSO
- View all analytics
- Manage all seats
admin:
description: "Team administrator"
permissions:
- Add/remove members
- Assign seat tiers (Pro, Free)
- View team analytics
- Configure org-wide settings
- Manage MCP server allowlist
member:
description: "Standard developer"
permissions:
- Use assigned AI features
- Configure personal settings
- Create workspace rules
- Cannot view team analytics
# Assign roles via Admin Dashboard > Members > Edit Role
Step 3: Organization-Wide AI Policies
# Admin Dashboard > Settings > AI Policies
org_policies:
# Control which AI models are available
allowed_models:
- "swe-1"
- "swe-1-lite"
- "claude-sonnet"
# Disable models not approved by security team
# Terminal command execution controls
cascade_terminal:
max_execution_level: "normal" # Options: turbo, normal, manual
global_deny_list:
- "rm -rf"
- "sudo"
- "curl | bash"
- "DROP TABLE"
- "format"
# Data controls
data_policies:
telemetry: "off" # No telemetry for enterprise
data_retention: "zero" # Zero-data retention
code_context_sharing: "workspace_only" # AI sees only current workspace
# Feature controls
feature_flags:
previews_enabled: true
mcp_enabled: true
workflows_enabled: true
auto_deploy_enabled: false # Disable direct deployment from IDE
Step 4: Seat Management Workflow
# Seat lifecycle management
seat_management:
onboarding:
1. "Admin invites user via Admin Dashboard > Members > Invite"
2. "User receives email with SSO login link"
3. "SSO authenticates user with company IdP"
4. "User gets assigned tier (Pro/Free) based on role"
5. "User opens project — .windsurfrules provides context"
offboarding:
1. "Disable user in IdP (SSO will auto-block)"
2. "Remove seat in Admin Dashboard > Members"
3. "Seat becomes available for reassignment"
4. "User's local memories/config remain on their machine"
tier_changes:
upgrade: "Admin Dashboard > Members > Select user > Change to Pro"
downgrade: "Admin Dashboard > Members > Select user > Change to Free"
note: "Downgraded users keep Supercomplete, lose Cascade Write mode"
Step 5: Audit and Compliance
# Admin Dashboard > Analytics > Audit
audit_capabilities:
available:
- User login events (SSO audit trail)
- Credit usage per user per day
- Feature usage patterns
- Seat assignment changes
- Admin actions
exportable:
- CSV export of member usage
- API access for SIEM integration (Enterprise)
compliance_certifications:
- SOC 2 Type II
- FedRAMP High
- HIPAA BAA (on request)
- GDPR compliant
Step 6: Service Keys for API Access (Enterprise)
# For programmatic access to admin APIs
service_keys:
purpose: "CI/CD integration, usage reporting, automated provisioning"
create: "Admin Dashboard > Settings > Service Keys > Create"
scopes:
- "admin:read" — read analytics and member data
- "admin:write" — manage members and settings
- "usage:read" — read usage metrics
rotation: "Rotate every 90 days, revoke immediately on compromise"
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| SSO login fails | SAML certificate expired | Update certificate in IdP and Windsurf |
| User can't access Cascade | No Pro seat assigned | Assign Pro tier in Admin Dashboard |
| Admin can't see analytics | Wrong role | Upgrade to admin role in Dashboard |
| New user auto-provisioned to wrong tier | Default tier not set | Configure default seat tier in Settings |
| Service key rejected | Expired or wrong scope | Generate new key with correct scopes |
Examples
Quick Admin Dashboard Tasks
Add user: Admin Dashboard > Members > Invite > email@company.com
Remove user: Members > Select > Remove from organization
Change tier: Members > Select > Change Plan > Pro/Free
View usage: Analytics > Overview (or per-member view)
Team Structure Example
engineering_org:
platform_team:
seats: 8
tier: Pro
admins: ["tech-lead@company.com"]
frontend_team:
seats: 6
tier: Pro
admins: ["frontend-lead@company.com"]
design_team:
seats: 3
tier: Free # Mainly CSS, limited AI use
contractors:
seats: 4
tier: Free
note: "Temporary, upgrade to Pro if AI use increases"
Resources
Next Steps
For migration strategies, see windsurf-migration-deep-dive.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
MagicCreate modern React UI components instantly with Magic AI Agent. Integrates with top IDEs for fast, stunning design and
SlackPowerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data
Azure AllSupercharge AI platforms with Azure MCP Server for seamless Azure API Management and resource automation. Public Preview
NetlifyEffortlessly manage Netlify projects with AI using the Netlify MCP Server—automate deployment, sites, and more via natur
Okta MCP ServerOfficial Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag
Docy (Documentation Access)Docy (Documentation Access) delivers real-time search and navigation of technical documentation without leaving your con
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.