coderabbit-enterprise-rbac

# CodeRabbit Enterprise RBAC

## Overview
Manage CodeRabbit AI code review access across an enterprise organization. CodeRabbit inherits repository permissions from your Git provider -- if a developer has write access to a repo and opens a PR, CodeRabbit reviews it. Enterprise controls focus on seat management, repository scoping, organization-level configuration, and review policy enforcement.

## Prerequisites
- CodeRabbit Pro or Enterprise plan
- GitHub Organization admin or GitLab Group owner role
- CodeRabbit GitHub App installed on the organization
- Access to CodeRabbit dashboard at app.coderabbit.ai

## Access Control Model
```
GitHub/GitLab Org Permissions
         │
         ▼
┌─────────────────────────┐
│ CodeRabbit GitHub App   │
│ Repository Access:      │
│  ├── All repositories   │ ← Reviews every PR in the org
│  └── Select repos only  │ ← Reviews only selected repos
└─────────┬───────────────┘
          │
          ▼
┌─────────────────────────┐
│ Seat Assignment         │
│  ├── Active committers  │ ← Auto-assigns seats to PR authors
│  └── Manual assignment  │ ← Admin picks who gets seats
└─────────┬───────────────┘
          │
          ▼
┌─────────────────────────┐
│ .coderabbit.yaml        │
│  ├── Org-level defaults │ ← .github repo
│  └── Repo-level overrides│ ← Per-repo customization
└─────────────────────────┘
```

## Instructions

### Step 1: Control Repository Access
```markdown
# In GitHub > Organization > Settings > Installed Apps > CodeRabbit:

Option A: "All repositories" (org-wide)
- Every repo gets AI reviews automatically
- New repos are covered immediately
- Higher seat count (every PR author = seat)

Option B: "Only select repositories" (targeted)
- Choose which repos get AI reviews
- Lower seat count
- New repos must be manually added

# Recommended: Start with Option B (select repos)
# Add repos in tiers based on risk/value
```

### Step 2: Configure Seat Management
```markdown
# In CodeRabbit Dashboard > Organization > Subscription:

1. Seat Policy Options:
   - "Active committers" → Auto-assign to anyone who opens a PR
   - "Manual assignment" → Admin explicitly assigns seats

2. Exclude Bot Accounts:
   - dependabot[bot]
   - renovate[bot]
   - github-actions[bot]
   - Any CI service accounts

3. Monitor Seat Usage:
   - Active seats: developers who opened PRs in last 30 days
   - Idle seats: no PR activity in 30+ days → candidates for removal

# Billing: ~$15/seat/month (Pro), custom (Enterprise)
# Only PR authors consume seats, not reviewers or commenters
```

### Step 3: Set Organization-Level Defaults
```yaml
# .github/.coderabbit.yaml (in the .github repo)
# Applied to ALL repos unless overridden by repo-level config

language: "en-US"
reviews:
  profile: "assertive"
  request_changes_workflow: false
  high_level_summary: true
  review_status: true
  poem: false
  sequence_diagrams: true

  auto_review:
    enabled: true
    drafts: false
    ignore_title_keywords:
      - "WIP"
      - "DO NOT MERGE"
      - "chore: bump"

  path_filters:
    - "!**/*.lock"
    - "!**/*.snap"
    - "!**/generated/**"
    - "!dist/**"
    - "!vendor/**"

  # Organization-wide coding standards
  path_instructions:
    - path: "**"
      instructions: |
        Org-wide rules:
        1. Flag hardcoded secrets, API keys, or credentials
        2. Check for proper error handling (no empty catch blocks)
        3. Verify input validation on API endpoints

chat:
  auto_reply: true
```

### Step 4: Team-Specific Repository Overrides
```yaml
# .coderabbit.yaml in a specific repo (overrides org defaults)
reviews:
  profile: "assertive"      # Can override org default
  request_changes_workflow: true   # This repo requires CR approval

  auto_review:
    enabled: true
    base_branches:
      - main                 # Only review PRs targeting main
    drafts: false

  path_instructions:
    - path: "src/auth/**"
      instructions: |
        SECURITY-CRITICAL path. Check for:
        - Auth bypass vulnerabilities
        - Injection attacks
        - Improper session handling
        - Token validation gaps
    - path: "src/payments/**"
      instructions: |
        PCI-SENSITIVE path. Check for:
        - Credit card data handling
        - Proper encryption usage
        - Audit logging of financial operations
    - path: "migrations/**"
      instructions: |
        Verify: backward compatibility, rollback safety,
        no data loss on down migration.
```

### Step 5: Audit Review Activity
```bash
set -euo pipefail
ORG="${1:-your-org}"

echo "=== CodeRabbit Org-Wide Review Audit ==="
echo "Organization: $ORG"
echo ""

# List repos with CodeRabbit installed
echo "--- Repos with CodeRabbit ---"
for REPO in $(gh repo list "$ORG" --limit 50 --json name --jq '.[].name'); do
  INSTALLED=$(gh api "repos/$ORG/$REPO/installation" --jq '.app_slug' 2>/dev/null || echo "none")
  if [ "$INSTALLED" = "coderabbitai" ]; then
    # Count recent reviews
    REVIEWS=$(gh api "repos/$ORG/$REPO/pulls?state=closed&per_page=10" --jq '.[].number' 2>/dev/null | \
      head -5 | xargs -I{} gh api "repos/$ORG/$REPO/pulls/{}/reviews" \
        --jq '[.[] | select(.user.login=="coderabbitai[bot]")] | length' 2>/dev/null | \
      awk '{sum+=$1} END {print sum+0}')
    echo "  $REPO: $REVIEWS reviews (last 5 PRs)"
  fi
done
```

### Step 6: Enterprise SSO and Compliance
```markdown
# CodeRabbit Enterprise plan includes:

1. SSO Integration:
   - GitHub Enterprise Cloud SSO (SAML)
   - GitLab SAML SSO
   - Automatic seat provisioning via SCIM

2. Data Residency:
   - Code is processed and not stored (ephemeral analysis)
   - Review comments stored in your Git provider (GitHub/GitLab)
   - CodeRabbit learnings stored on CodeRabbit servers
   - SOC 2 Type II certified

3. Compliance Features:
   - Audit logs available in enterprise dashboard
   - Data processing agreement (DPA) available
   - Custom data retention policies
   - IP allowlisting for self-hosted GitLab

# Contact: enterprise@coderabbit.ai for custom plans
```

## Output
- Repository access scoped to appropriate repos
- Seat management configured with bot exclusions
- Organization-level defaults deployed
- Team-specific review policies applied
- Audit script for review activity monitoring

## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| CodeRabbit not reviewing PRs | App not installed on repo | Add repo in GitHub App settings |
| Seat limit exceeded | Too many active committers | Remove inactive users or upgrade plan |
| Org config not applying | No `.github` repo in org | Create `.github` repo with `.coderabbit.yaml` |
| Repo config ignored | YAML syntax error | Validate YAML, check with `@coderabbitai configuration` |
| Bot consuming seats | Bot opens PRs | Exclude bot usernames in seat management |

## Resources
- [CodeRabbit Enterprise](https://coderabbit.ai/pricing)
- [Organization Config](https://docs.coderabbit.ai/guides/organization-level-config)
- [Seat Management](https://docs.coderabbit.ai/guides/seat-management)
- [SOC 2 Compliance](https://coderabbit.ai/security)

## Next Steps
For cost optimization, see `coderabbit-cost-tuning`.