instantly-enterprise-rbac

Configure Instantly.ai workspace access control, team management, and API key governance. Use when managing workspace members, setting up team permissions, or implementing API key governance for multi-user Instantly workspaces. Trigger with phrases like "instantly team", "instantly permissions", "instantly workspace members", "instantly access control", "instantly rbac".

1,868 stars

byjeremylongshore

View on GitHub Installation ↓

Best use case

instantly-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using instantly-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/instantly-enterprise-rbac/SKILL.md --create-dirs "https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/main/plugins/saas-packs/instantly-pack/skills/instantly-enterprise-rbac/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/instantly-enterprise-rbac/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How instantly-enterprise-rbac Compares

Feature / Agent	instantly-enterprise-rbac	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

ChatGPT vs Claude for Agent Skills

Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.

SKILL.md Source

# Instantly Enterprise RBAC

## Overview
Manage workspace access control in Instantly API v2. Covers workspace member management, API key governance with scoped permissions, workspace group management (for agencies), custom tag-based resource isolation, and audit logging. Instantly uses workspace-level isolation — each workspace is a separate tenant with its own data and API keys.

## Prerequisites
- Instantly Hypergrowth plan or higher
- Workspace admin access
- API key with `all:all` scope (for admin operations)

## Instructions

### Step 1: Workspace Member Management
```typescript
import { InstantlyClient } from "./src/instantly/client";
const client = new InstantlyClient();

// List workspace members
async function listMembers() {
  const members = await client.request<Array<{
    id: string;
    email: string;
    role: string;
    timestamp_created: string;
  }>>("/workspace-members");

  console.log("Workspace Members:");
  for (const m of members) {
    console.log(`  ${m.email} — role: ${m.role} (joined: ${m.timestamp_created})`);
  }
  return members;
}

// Invite new member
async function inviteMember(email: string) {
  const member = await client.request<{ id: string; email: string }>("/workspace-members", {
    method: "POST",
    body: JSON.stringify({ email }),
  });
  console.log(`Invited: ${member.email} (${member.id})`);
  return member;
}

// Update member role
async function updateMemberRole(memberId: string, role: string) {
  await client.request(`/workspace-members/${memberId}`, {
    method: "PATCH",
    body: JSON.stringify({ role }),
  });
}

// Remove member
async function removeMember(memberId: string) {
  await client.request(`/workspace-members/${memberId}`, { method: "DELETE" });
  console.log(`Removed member: ${memberId}`);
}
```

### Step 2: API Key Governance
```typescript
// Create scoped API keys for different team roles
async function createScopedKeys() {
  // Analytics-only key for the marketing team
  const analyticsKey = await client.request<{ id: string; key: string; name: string }>(
    "/api-keys",
    {
      method: "POST",
      body: JSON.stringify({
        name: "Marketing — Analytics Read Only",
        scopes: ["campaigns:read", "accounts:read"],
      }),
    }
  );
  console.log(`Analytics key: ${analyticsKey.name} (${analyticsKey.id})`);

  // Campaign management key for SDR team
  const sdrKey = await client.request<{ id: string; key: string; name: string }>(
    "/api-keys",
    {
      method: "POST",
      body: JSON.stringify({
        name: "SDR — Campaign Management",
        scopes: ["campaigns:all", "leads:all"],
      }),
    }
  );
  console.log(`SDR key: ${sdrKey.name} (${sdrKey.id})`);

  // Webhook-only key for integration service
  const webhookKey = await client.request<{ id: string; key: string; name: string }>(
    "/api-keys",
    {
      method: "POST",
      body: JSON.stringify({
        name: "Integration Service — Webhook Handler",
        scopes: ["leads:read"],
      }),
    }
  );
  console.log(`Webhook key: ${webhookKey.name} (${webhookKey.id})`);
}

// List all API keys
async function auditApiKeys() {
  const keys = await client.request<Array<{
    id: string; name: string; scopes: string[]; timestamp_created: string;
  }>>("/api-keys");

  console.log("API Keys:");
  for (const key of keys) {
    console.log(`  ${key.name} (${key.id})`);
    console.log(`    Scopes: ${key.scopes.join(", ")}`);
    console.log(`    Created: ${key.timestamp_created}`);
  }

  // Flag overprivileged keys
  const overprivileged = keys.filter((k) =>
    k.scopes.includes("all:all") || k.scopes.includes("all:update")
  );
  if (overprivileged.length > 0) {
    console.log(`\nWARNING: ${overprivileged.length} key(s) with all:all scope:`);
    overprivileged.forEach((k) => console.log(`  ${k.name} — consider reducing scope`));
  }
}

// Revoke a key
async function revokeApiKey(keyId: string) {
  await client.request(`/api-keys/${keyId}`, { method: "DELETE" });
  console.log(`Revoked API key: ${keyId}`);
}
```

### Step 3: Workspace Group Management (Agency Pattern)
```typescript
// For agencies managing multiple client workspaces
async function manageWorkspaceGroups() {
  // List workspace group members
  const groupMembers = await client.request<Array<{
    id: string; email: string;
  }>>("/workspace-group-members");

  console.log("Workspace Group Members:");
  for (const m of groupMembers) {
    console.log(`  ${m.email} (${m.id})`);
  }

  // Add member to workspace group
  await client.request("/workspace-group-members", {
    method: "POST",
    body: JSON.stringify({ email: "team@agency.com" }),
  });

  // Get admin users
  const admins = await client.request<Array<{
    id: string; email: string;
  }>>("/workspace-group-members/admin");
  console.log("Admins:", admins.map((a) => a.email).join(", "));
}
```

### Step 4: Custom Tags for Resource Isolation
```typescript
// Use custom tags to organize campaigns and accounts by team/client
async function setupTeamTags() {
  // Create tags for each team
  const teams = ["SDR-West", "SDR-East", "Marketing", "Enterprise"];

  for (const team of teams) {
    const tag = await client.request<{ id: string; label: string }>("/custom-tags", {
      method: "POST",
      body: JSON.stringify({
        label: team,
        description: `Resources owned by ${team} team`,
      }),
    });
    console.log(`Created tag: ${tag.label} (${tag.id})`);
  }
}

// Assign tag to campaign or account
async function tagResource(tagId: string, resourceId: string) {
  await client.request("/custom-tags/toggle-resource", {
    method: "POST",
    body: JSON.stringify({
      tag_id: tagId,
      resource_id: resourceId,
    }),
  });
}

// Filter campaigns by tag
async function getCampaignsByTeam(tagId: string) {
  return client.request<Campaign[]>(`/campaigns?tag_ids=${tagId}&limit=100`);
}

// Filter accounts by tag
async function getAccountsByTeam(tagId: string) {
  return client.request<Account[]>(`/accounts?tag_ids=${tagId}&limit=100`);
}
```

### Step 5: Audit Logging
```typescript
// Review workspace audit logs
async function reviewAuditLogs() {
  const logs = await client.request<Array<{
    id: string;
    action: string;
    resource: string;
    user: string;
    timestamp_created: string;
  }>>("/audit-logs?limit=50");

  console.log("Recent Audit Events:");
  for (const log of logs) {
    console.log(`  ${log.timestamp_created} | ${log.user} | ${log.action} | ${log.resource}`);
  }

  return logs;
}

// Workspace ownership transfer
async function changeWorkspaceOwner(newOwnerUserId: string) {
  await client.request("/workspaces/current/change-owner", {
    method: "POST",
    body: JSON.stringify({ new_owner_id: newOwnerUserId }),
  });
  console.log("Workspace ownership transferred");
}
```

## Access Control Matrix

| Role | Campaigns | Leads | Accounts | Webhooks | API Keys | Members |
|------|-----------|-------|----------|----------|----------|---------|
| Admin | Full | Full | Full | Full | Full | Full |
| Manager | Create/Edit | Create/Edit | View | Create | View | View |
| SDR | Launch/Pause | Import | View | - | - | - |
| Viewer | View only | View only | View only | - | - | - |

## Key API Endpoints
| Method | Path | Purpose |
|--------|------|---------|
| `POST` | `/workspace-members` | Invite member |
| `GET` | `/workspace-members` | List members |
| `PATCH` | `/workspace-members/{id}` | Update role |
| `DELETE` | `/workspace-members/{id}` | Remove member |
| `POST` | `/api-keys` | Create scoped key |
| `GET` | `/api-keys` | List keys |
| `DELETE` | `/api-keys/{id}` | Revoke key |
| `POST` | `/custom-tags` | Create tag |
| `POST` | `/custom-tags/toggle-resource` | Tag a resource |
| `GET` | `/audit-logs` | View audit trail |
| `POST` | `/workspaces/current/change-owner` | Transfer ownership |

## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| `403` on member operations | Not workspace admin | Use admin API key |
| Can't revoke own key | Self-revocation blocked | Use another key or dashboard |
| Tags not filtering | Wrong tag_id format | Ensure UUID format |
| Audit logs empty | Feature not available on plan | Upgrade to higher tier |

## Resources
- [Instantly API Key Management](https://developer.instantly.ai/api/v2/apikey)
- [Workspace Members API](https://developer.instantly.ai/)
- [Custom Tags API](https://developer.instantly.ai/api/v2/schemas)

## Next Steps
For migration strategies, see `instantly-migration-deep-dive`.

Related Skills

windsurf-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".

webflow-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".

vercel-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".

veeva-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".

vastai-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".

twinmind-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".

supabase-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".

speak-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".

snowflake-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".

windsurf-enterprise-sso

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".

shopify-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".

sentry-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".