linear-enterprise-rbac
Implement enterprise role-based access control with Linear. Use when setting up team permissions, OAuth scopes, SAML SSO, SCIM provisioning, or audit logging. Trigger: "linear RBAC", "linear permissions", "linear SSO", "linear enterprise access", "linear role management", "linear SCIM".
Best use case
linear-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement enterprise role-based access control with Linear. Use when setting up team permissions, OAuth scopes, SAML SSO, SCIM provisioning, or audit logging. Trigger: "linear RBAC", "linear permissions", "linear SSO", "linear enterprise access", "linear role management", "linear SCIM".
Teams using linear-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/linear-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How linear-enterprise-rbac Compares
| Feature / Agent | linear-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement enterprise role-based access control with Linear. Use when setting up team permissions, OAuth scopes, SAML SSO, SCIM provisioning, or audit logging. Trigger: "linear RBAC", "linear permissions", "linear SSO", "linear enterprise access", "linear role management", "linear SCIM".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Linear Enterprise RBAC
## Overview
Implement role-based access control for Linear integrations. Linear provides built-in organization roles (Owner, Admin, Member, Guest), team-level access control, and fine-grained OAuth scopes. Enterprise plans add SAML 2.0 SSO and SCIM user provisioning.
## Prerequisites
- Linear Business or Enterprise plan (for SSO/SCIM)
- Organization admin access
- SSO provider (Okta, Azure AD, Google Workspace) for SAML
- Understanding of OAuth 2.0 scopes
## Instructions
### Step 1: Understand Linear's Built-In Roles
| Role | Capabilities |
|------|-------------|
| **Owner** | Full workspace control, billing, delete workspace |
| **Admin** | Manage members, teams, integrations, workspace settings |
| **Member** | Create/edit issues, access team-visible data |
| **Guest** | Read-only access to invited teams only |
These roles are fixed in Linear. Your application can layer additional permissions on top.
### Step 2: Map Application Roles to OAuth Scopes
```typescript
// src/auth/permissions.ts
// Available Linear OAuth scopes:
// read, write, issues:create, admin
// initiative:read, initiative:write
// customer:read, customer:write
const ROLE_SCOPES: Record<string, string[]> = {
admin: ["read", "write", "issues:create", "admin"],
manager: ["read", "write", "issues:create"],
developer: ["read", "write", "issues:create"],
viewer: ["read"],
};
const TEAM_ACCESS: Record<string, "member" | "guest" | "none"> = {
admin: "member",
manager: "member",
developer: "member",
viewer: "guest",
};
```
### Step 3: Permission Guard
```typescript
import { LinearClient } from "@linear/sdk";
interface UserContext {
userId: string;
role: string;
linearClient: LinearClient;
teamIds: string[];
}
class PermissionGuard {
constructor(private ctx: UserContext) {}
canAccessTeam(teamId: string): boolean {
if (this.ctx.role === "admin") return true;
return this.ctx.teamIds.includes(teamId);
}
async canModifyIssue(issueId: string): Promise<boolean> {
if (this.ctx.role === "viewer") return false;
const issue = await this.ctx.linearClient.issue(issueId);
const team = await issue.team;
return team ? this.canAccessTeam(team.id) : false;
}
canCreateIssue(): boolean {
return ["admin", "manager", "developer"].includes(this.ctx.role);
}
canDeleteIssue(): boolean {
return this.ctx.role === "admin";
}
canManageIntegration(): boolean {
return this.ctx.role === "admin";
}
canAccessProject(projectTeamIds: string[]): boolean {
if (this.ctx.role === "admin") return true;
return projectTeamIds.some(id => this.ctx.teamIds.includes(id));
}
}
// Express middleware
function requireRole(...allowedRoles: string[]) {
return (req: any, res: any, next: any) => {
if (!allowedRoles.includes(req.user.role)) {
return res.status(403).json({ error: "Insufficient role" });
}
next();
};
}
// Route protection
app.post("/api/issues", requireRole("admin", "manager", "developer"), createIssueHandler);
app.delete("/api/issues/:id", requireRole("admin"), deleteIssueHandler);
app.get("/api/issues", requireRole("admin", "manager", "developer", "viewer"), listIssuesHandler);
```
### Step 4: Scoped Client Factory
```typescript
// Create Linear clients with appropriate access per user
async function getClientForUser(userId: string): Promise<LinearClient> {
const token = await getStoredOAuthToken(userId);
if (!token) throw new Error("User not authenticated with Linear");
return new LinearClient({ accessToken: token });
}
// Verify team membership via API
async function getUserTeamIds(client: LinearClient): Promise<string[]> {
const viewer = await client.viewer;
const memberships = await viewer.teamMemberships();
const teamIds: string[] = [];
for (const membership of memberships.nodes) {
const team = await membership.team;
if (team) teamIds.push(team.id);
}
return teamIds;
}
```
### Step 5: SAML SSO Configuration (Enterprise)
```typescript
// Linear Enterprise supports SAML 2.0 SSO
// Configuration: Linear Settings > Security > SAML
// After SSO login, verify user's Linear access
async function onSSOLogin(email: string): Promise<UserContext> {
// Look up user's stored OAuth token
const user = await db.users.findByEmail(email);
if (!user?.linearAccessToken) {
throw new Error("User must complete Linear OAuth after SSO login");
}
const client = new LinearClient({ accessToken: user.linearAccessToken });
const viewer = await client.viewer;
const teamIds = await getUserTeamIds(client);
return {
userId: user.id,
role: mapLinearRoleToAppRole(viewer),
linearClient: client,
teamIds,
};
}
function mapLinearRoleToAppRole(viewer: any): string {
if (viewer.admin) return "admin";
if (viewer.guest) return "viewer";
return "developer";
}
```
### Step 6: SCIM Provisioning (Enterprise)
```typescript
// SCIM auto-syncs users and groups from your IdP to Linear
// Configuration: Linear Settings > Security > SCIM provisioning
// Endpoint: https://api.linear.app/scim/v2
// Bearer token: generated in Linear admin settings
// After SCIM syncs users, verify in your app
async function syncSCIMUsers(client: LinearClient) {
const org = await client.organization;
const members = await org.users();
for (const user of members.nodes) {
console.log(`${user.name} (${user.email}): admin=${user.admin}, guest=${user.guest}, active=${user.active}`);
// Sync to your app's user database
await db.users.upsert({
email: user.email,
name: user.name,
linearId: user.id,
role: user.admin ? "admin" : user.guest ? "viewer" : "developer",
active: user.active,
});
}
}
```
### Step 7: Audit Logging
```typescript
interface AuditEntry {
timestamp: string;
userId: string;
action: string;
resource: string;
resourceId: string;
details: Record<string, unknown>;
}
function logAudit(entry: AuditEntry): void {
// Write to audit log (database, SIEM, CloudWatch, etc.)
console.log(JSON.stringify(entry));
}
// Wrap Linear operations with audit logging
async function auditedCreateIssue(
ctx: UserContext,
input: { teamId: string; title: string; [key: string]: any }
) {
const guard = new PermissionGuard(ctx);
if (!guard.canCreateIssue()) throw new Error("Forbidden");
if (!guard.canAccessTeam(input.teamId)) throw new Error("No team access");
const result = await ctx.linearClient.createIssue(input);
logAudit({
timestamp: new Date().toISOString(),
userId: ctx.userId,
action: "issue.create",
resource: "Issue",
resourceId: (await result.issue)?.id ?? "",
details: { teamId: input.teamId, title: input.title },
});
return result;
}
async function auditedUpdateIssue(
ctx: UserContext,
issueId: string,
updates: Record<string, unknown>
) {
const guard = new PermissionGuard(ctx);
if (!(await guard.canModifyIssue(issueId))) throw new Error("Forbidden");
logAudit({
timestamp: new Date().toISOString(),
userId: ctx.userId,
action: "issue.update",
resource: "Issue",
resourceId: issueId,
details: updates,
});
return ctx.linearClient.updateIssue(issueId, updates);
}
```
## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| `Forbidden` | Token lacks required scope | Request OAuth with correct `ROLE_SCOPES` |
| `Authentication required` | SSO session expired | Redirect to SAML IdP |
| SCIM sync fails | Invalid bearer token | Regenerate SCIM token in Linear admin |
| Guest can't create issue | Guest role is read-only | Upgrade to Member role in Linear |
| Team not accessible | User not added to team | Add user to team in Linear Settings |
## Examples
### List Organization Members by Role
```typescript
const client = new LinearClient({ apiKey: process.env.LINEAR_API_KEY! });
const org = await client.organization;
const members = await org.users();
for (const user of members.nodes) {
const role = user.admin ? "admin" : user.guest ? "guest" : "member";
console.log(`${user.name} (${user.email}): ${role}`);
}
```
## Resources
- [Linear OAuth Scopes](https://linear.app/developers/oauth-2-0-authentication)
- [Linear SSO Guide](https://linear.app/docs/sso)
- [SCIM Provisioning](https://linear.app/docs/scim)
- [OAuth Actor Authorization](https://linear.app/developers/oauth-actor-authorization)Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
sentry-enterprise-rbac
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".