documenso-enterprise-rbac
Configure Documenso enterprise role-based access control and team management. Use when implementing team permissions, configuring organizational roles, or setting up enterprise access controls. Trigger with phrases like "documenso RBAC", "documenso teams", "documenso permissions", "documenso enterprise", "documenso roles".
Best use case
documenso-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Documenso enterprise role-based access control and team management. Use when implementing team permissions, configuring organizational roles, or setting up enterprise access controls. Trigger with phrases like "documenso RBAC", "documenso teams", "documenso permissions", "documenso enterprise", "documenso roles".
Teams using documenso-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/documenso-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How documenso-enterprise-rbac Compares
| Feature / Agent | documenso-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Documenso enterprise role-based access control and team management. Use when implementing team permissions, configuring organizational roles, or setting up enterprise access controls. Trigger with phrases like "documenso RBAC", "documenso teams", "documenso permissions", "documenso enterprise", "documenso roles".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Documenso Enterprise RBAC
## Overview
Configure team-based access control and enterprise features in Documenso. The Team plan enables multi-user collaboration with shared documents. Enterprise adds SSO (OIDC), audit logging, and organization-level management.
## Prerequisites
- Documenso Team or Enterprise plan
- Understanding of RBAC concepts
- For SSO: OIDC-compatible identity provider (Okta, Azure AD, Google Workspace, Auth0)
## Documenso Team Model
```
Organization
├── Team A
│ ├── Owner (full control)
│ ├── Admin (manage members, settings)
│ └── Member (create, view, sign team documents)
├── Team B
│ └── ...
└── Personal Accounts (separate from teams)
```
**Key concepts:**
- Teams are separate from personal accounts -- team documents are owned by the team
- Team API keys access all team documents; personal keys only access personal documents
- Each team member can have Owner, Admin, or Member role
- Unlimited teams and users on Team/Enterprise plans (early adopter pricing)
## Instructions
### Step 1: Team API Key Scoping
```typescript
import { Documenso } from "@documenso/sdk-typescript";
// Personal key: only YOUR documents
const personalClient = new Documenso({
apiKey: process.env.DOCUMENSO_PERSONAL_KEY!,
});
// Team key: all documents in the team
const teamClient = new Documenso({
apiKey: process.env.DOCUMENSO_TEAM_KEY!,
});
// Common mistake: using personal key for team operations
// Results in 403 Forbidden on team resources
```
### Step 2: Application-Level RBAC
Documenso handles team membership internally. For finer-grained control in your app, implement an authorization layer:
```typescript
// src/auth/documenso-rbac.ts
type Role = "viewer" | "editor" | "admin" | "owner";
interface TeamMember {
userId: string;
teamId: string;
role: Role;
}
const PERMISSIONS: Record<Role, string[]> = {
viewer: ["documents:read"],
editor: ["documents:read", "documents:create", "documents:send"],
admin: ["documents:read", "documents:create", "documents:send", "documents:delete", "members:manage"],
owner: ["documents:read", "documents:create", "documents:send", "documents:delete", "members:manage", "team:settings", "team:billing"],
};
function hasPermission(member: TeamMember, permission: string): boolean {
return PERMISSIONS[member.role]?.includes(permission) ?? false;
}
// Middleware
function requirePermission(permission: string) {
return (req: Request, res: Response, next: NextFunction) => {
const member = req.teamMember; // Set by auth middleware
if (!hasPermission(member, permission)) {
return res.status(403).json({
error: "Forbidden",
required: permission,
userRole: member.role,
});
}
next();
};
}
// Usage
app.delete("/api/documents/:id",
requirePermission("documents:delete"),
async (req, res) => {
await teamClient.documents.deleteV0(parseInt(req.params.id));
res.json({ deleted: true });
}
);
```
### Step 3: Enterprise SSO Configuration
Documenso Enterprise supports SSO via OIDC. Configuration is done in the admin panel:
```text
SSO Setup (Enterprise only):
1. Navigate to Organization Settings > SSO
2. Select your OIDC provider
3. Enter:
- Client ID (from your IdP)
- Client Secret (from your IdP)
- Issuer URL (e.g., https://login.microsoftonline.com/{tenant}/v2.0)
4. Configure redirect URI in your IdP:
https://sign.yourcompany.com/api/auth/callback/oidc
5. Test with a non-admin user first
Supported providers:
- Google Workspace
- Microsoft Entra ID (Azure AD)
- Okta
- Auth0
- Any OIDC-compliant provider
Once enabled, team members sign in via:
https://sign.yourcompany.com/sso/{organization-slug}
```
### Step 4: Audit Logging (Enterprise)
Enterprise includes built-in audit logging. For additional application-level auditing:
```typescript
// src/audit/documenso-audit.ts
interface AuditEntry {
timestamp: string;
userId: string;
teamId: string;
action: string;
resourceType: "document" | "template" | "team" | "member";
resourceId: string;
metadata: Record<string, any>;
}
async function auditLog(entry: Omit<AuditEntry, "timestamp">) {
const log: AuditEntry = {
...entry,
timestamp: new Date().toISOString(),
};
// Write to your audit store (database, CloudWatch, etc.)
console.log(JSON.stringify(log));
// Example: document sent
// { action: "document.send", resourceType: "document",
// resourceId: "42", userId: "user_123", teamId: "team_456" }
}
// Wrap Documenso operations with audit logging
async function sendDocumentAudited(
client: Documenso,
documentId: number,
userId: string,
teamId: string
) {
await client.documents.sendV0(documentId);
await auditLog({
userId,
teamId,
action: "document.send",
resourceType: "document",
resourceId: String(documentId),
metadata: { status: "PENDING" },
});
}
```
### Step 5: Multi-Tenant Architecture
```typescript
// src/tenant/documenso-tenant.ts
// Each tenant maps to a Documenso team with its own API key
interface Tenant {
id: string;
name: string;
documensoTeamApiKey: string; // Encrypted in database
}
class TenantDocumensoService {
private clients = new Map<string, Documenso>();
getClient(tenant: Tenant): Documenso {
if (!this.clients.has(tenant.id)) {
this.clients.set(
tenant.id,
new Documenso({ apiKey: tenant.documensoTeamApiKey })
);
}
return this.clients.get(tenant.id)!;
}
// Ensure tenant isolation — never cross-access
async getDocument(tenant: Tenant, documentId: number) {
const client = this.getClient(tenant);
return client.documents.getV0(documentId);
// Team API keys automatically scope to team documents
}
}
```
## Permission Matrix
| Action | Member | Admin | Owner |
|--------|--------|-------|-------|
| View team documents | Yes | Yes | Yes |
| Create documents | Yes | Yes | Yes |
| Send for signing | Yes | Yes | Yes |
| Delete documents | No | Yes | Yes |
| Manage team members | No | Yes | Yes |
| Team settings / billing | No | No | Yes |
| Configure SSO | No | No | Yes |
## Error Handling
| RBAC Issue | Cause | Solution |
|------------|-------|----------|
| 403 Forbidden | Personal key on team resource | Use team-scoped API key |
| Cannot delete | Not Admin/Owner role | Request role upgrade from team Owner |
| SSO login fails | Wrong OIDC configuration | Verify Client ID, Secret, and Issuer URL |
| Tenant data leak | Wrong API key for tenant | Validate tenant isolation in tests |
## Resources
- [Documenso Teams](https://documenso.com/features/teams)
- [SSO Portal Documentation](https://docs.documenso.com/users/organisations/sso)
- [Enterprise Features](https://documenso.com/blog/introducing-self-hosted-signing-infrastructure-for-enterprise)
- [OWASP Access Control](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)
## Next Steps
For migration strategies, see `documenso-migration-deep-dive`.Related Skills
kubernetes-rbac-analyzer
Kubernetes Rbac Analyzer - Auto-activating skill for Security Advanced. Triggers on: kubernetes rbac analyzer, kubernetes rbac analyzer Part of the Security Advanced skill category.
exa-enterprise-rbac
Manage Exa API key scoping, team access controls, and domain restrictions. Use when implementing multi-key access control, configuring per-team search limits, or setting up organization-level Exa governance. Trigger with phrases like "exa access control", "exa RBAC", "exa enterprise", "exa team keys", "exa permissions".
evernote-enterprise-rbac
Implement enterprise RBAC for Evernote integrations. Use when building multi-tenant systems, implementing role-based access, or handling business accounts. Trigger with phrases like "evernote enterprise", "evernote rbac", "evernote business", "evernote permissions".
documenso-webhooks-events
Implement Documenso webhook configuration and event handling. Use when setting up webhook endpoints, handling document events, or implementing real-time notifications for document signing. Trigger with phrases like "documenso webhook", "documenso events", "document completed webhook", "signing notification".
documenso-upgrade-migration
Manage Documenso API version upgrades and SDK migrations. Use when upgrading from v1 to v2 API, updating SDK versions, or migrating between Documenso versions. Trigger with phrases like "documenso upgrade", "documenso v2 migration", "update documenso SDK", "documenso API version".
documenso-security-basics
Implement security best practices for Documenso document signing integrations. Use when securing API keys, configuring webhooks securely, or implementing document security measures. Trigger with phrases like "documenso security", "secure documenso", "documenso API key security", "documenso webhook security".
documenso-sdk-patterns
Apply production-ready Documenso SDK patterns for TypeScript and Python. Use when implementing Documenso integrations, refactoring SDK usage, or establishing team coding standards for Documenso. Trigger with phrases like "documenso SDK patterns", "documenso best practices", "documenso code patterns", "idiomatic documenso".
documenso-reference-architecture
Implement Documenso reference architecture with best-practice project layout. Use when designing new Documenso integrations, reviewing project structure, or establishing architecture standards for document signing applications. Trigger with phrases like "documenso architecture", "documenso best practices", "documenso project structure", "how to organize documenso".
documenso-rate-limits
Implement Documenso rate limiting, backoff, and request throttling patterns. Use when handling rate limit errors, implementing retry logic, or optimizing API request throughput for Documenso. Trigger with phrases like "documenso rate limit", "documenso throttling", "documenso 429", "documenso retry", "documenso backoff".
documenso-prod-checklist
Execute Documenso production deployment checklist and rollback procedures. Use when deploying Documenso integrations to production, preparing for launch, or implementing go-live procedures. Trigger with phrases like "documenso production", "deploy documenso", "documenso go-live", "documenso launch checklist".
documenso-performance-tuning
Optimize Documenso integration performance with caching, batching, and efficient patterns. Use when improving response times, reducing API calls, or optimizing bulk document operations. Trigger with phrases like "documenso performance", "optimize documenso", "documenso caching", "documenso batch operations".
documenso-observability
Implement monitoring, logging, and tracing for Documenso integrations. Use when setting up observability, implementing metrics collection, or debugging production issues. Trigger with phrases like "documenso monitoring", "documenso metrics", "documenso logging", "documenso tracing", "documenso observability".