lokalise-enterprise-rbac
Configure Lokalise enterprise SSO, role-based access control, and team management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for Lokalise. Trigger with phrases like "lokalise SSO", "lokalise RBAC", "lokalise enterprise", "lokalise roles", "lokalise permissions", "lokalise team".
Best use case
lokalise-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Lokalise enterprise SSO, role-based access control, and team management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for Lokalise. Trigger with phrases like "lokalise SSO", "lokalise RBAC", "lokalise enterprise", "lokalise roles", "lokalise permissions", "lokalise team".
Teams using lokalise-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/lokalise-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How lokalise-enterprise-rbac Compares
| Feature / Agent | lokalise-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Lokalise enterprise SSO, role-based access control, and team management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for Lokalise. Trigger with phrases like "lokalise SSO", "lokalise RBAC", "lokalise enterprise", "lokalise roles", "lokalise permissions", "lokalise team".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Lokalise Enterprise RBAC
## Overview
Manage fine-grained access to Lokalise translation projects using its built-in role hierarchy, language-level scoping, contributor groups, and organization-level SSO enforcement. Lokalise has four core roles — owner, admin, manager-level (via admin_rights), and contributor (translator/reviewer) — each configurable per project and per language.
## Prerequisites
- Lokalise Team or Enterprise plan (contributor groups and SSO require Team+)
- Owner or Admin role in the Lokalise organization
- `LOKALISE_API_TOKEN` environment variable set (admin-level token)
- `@lokalise/node-api` SDK or `curl` + `jq` for REST API access
## Instructions
### Step 1: Understand the Role Hierarchy
Lokalise uses a flat role model per project, controlled by three boolean flags on each contributor:
| Role | `is_admin` | `is_reviewer` | Can translate | Can review | Can manage keys | Can manage contributors |
|------|-----------|--------------|--------------|-----------|----------------|----------------------|
| **Admin** | `true` | `true` | Yes | Yes | Yes | Yes |
| **Manager** | `false` | `true` | Yes | Yes | Limited (via `admin_rights`) | No |
| **Reviewer** | `false` | `true` | Yes | Yes | No | No |
| **Translator** | `false` | `false` | Yes | No | No | No |
At the **team level**, users are either `admin` or `member`. Team admins can create projects and manage billing. Team members can only access projects they are explicitly added to.
### Step 2: Add Contributors with Language Scoping
```typescript
import { LokaliseApi } from '@lokalise/node-api';
const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! });
// Add a translator restricted to French and Spanish only
await lok.contributors().create(PROJECT_ID, [{
email: 'translator@agency.com',
fullname: 'Marie Dupont',
is_admin: false,
is_reviewer: false,
languages: [
{ lang_iso: 'fr', is_writable: true },
{ lang_iso: 'es', is_writable: true },
],
}]);
// Add a reviewer who can review all languages but only translate German
await lok.contributors().create(PROJECT_ID, [{
email: 'reviewer@company.com',
fullname: 'Hans Mueller',
is_admin: false,
is_reviewer: true,
languages: [
{ lang_iso: 'de', is_writable: true },
{ lang_iso: 'fr', is_writable: false }, // Can review but not edit
{ lang_iso: 'es', is_writable: false },
],
}]);
```
### Step 3: Manage Team-Level Users and Roles
```bash
set -euo pipefail
TEAM_ID="YOUR_TEAM_ID"
# List all team members with their roles
curl -s -X GET "https://api.lokalise.com/api2/teams/${TEAM_ID}/users" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
| jq '.team_users[] | {user_id: .user_id, email: .email, role: .role}'
# Demote a user from admin to member
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/users/USER_ID" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"role": "member"}'
```
### Step 4: Create Contributor Groups for Bulk Management
Groups let you assign the same permissions to multiple people at once. When you add a user to a group, they inherit the group's language scope and role across all projects the group is assigned to.
```bash
set -euo pipefail
TEAM_ID="YOUR_TEAM_ID"
# Create a group for APAC translators
curl -s -X POST "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "APAC Translators",
"is_reviewer": false,
"is_admin": false,
"admin_rights": [],
"languages": [
{"lang_iso": "ja", "is_writable": true},
{"lang_iso": "ko", "is_writable": true},
{"lang_iso": "zh_CN", "is_writable": true}
]
}'
# Add a member to the group
GROUP_ID=$(curl -s "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
| jq -r '.groups[] | select(.name == "APAC Translators") | .group_id')
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/members/add" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"users": [12345, 67890]}'
# Assign the group to specific projects
curl -s -X PUT "https://api.lokalise.com/api2/teams/${TEAM_ID}/groups/${GROUP_ID}/projects/add" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"projects": ["PROJECT_ID_1", "PROJECT_ID_2"]}'
```
### Step 5: Configure SSO (Enterprise Plan Only)
SSO is configured in the Lokalise dashboard, not via API. Map your IdP groups to Lokalise roles:
1. Navigate to **Organization Settings > Single Sign-On**
2. Select SAML 2.0 and enter your IdP metadata URL
3. Map IdP groups to Lokalise roles:
- `Engineering-Localization` -> Admin
- `Translators-EMEA` -> Contributor group "EMEA Translators"
- `Product-Managers` -> Reviewer
4. Enable **Enforce SSO** to block password-based login for all org members
5. Set **Default Role** for new SSO users (recommend: member with no project access)
**ACS URL format:** `https://app.lokalise.com/sso/saml/YOUR_TEAM_ID/callback`
### Step 6: Audit Permissions Regularly
```typescript
import { LokaliseApi } from '@lokalise/node-api';
const lok = new LokaliseApi({ apiKey: process.env.LOKALISE_API_TOKEN! });
async function auditPermissions() {
const projects = await lok.projects().list({ limit: 100 });
const report: Array<{project: string; issue: string; detail: string}> = [];
for (const proj of projects.items) {
const contributors = await lok.contributors().list({
project_id: proj.project_id,
limit: 500,
});
// Flag: too many admins
const admins = contributors.items.filter(c => c.is_admin);
if (admins.length > 3) {
report.push({
project: proj.name,
issue: 'Excessive admins',
detail: `${admins.length} admins: ${admins.map(a => a.email).join(', ')}`,
});
}
// Flag: contributors with no language scope (can see all languages)
const unscopedTranslators = contributors.items.filter(
c => !c.is_admin && (!c.languages || c.languages.length === 0)
);
if (unscopedTranslators.length > 0) {
report.push({
project: proj.name,
issue: 'Unscoped contributors',
detail: `${unscopedTranslators.length} users can access all languages`,
});
}
// Respect rate limit
await new Promise(r => setTimeout(r, 200));
}
console.table(report);
return report;
}
await auditPermissions();
```
### Step 7: Set Up Webhook for Access Change Notifications
```bash
set -euo pipefail
# Get notified when contributors are added or removed
curl -s -X POST "https://api.lokalise.com/api2/projects/${PROJECT_ID}/webhooks" \
-H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"url": "https://hooks.company.com/lokalise-audit",
"events": [
"project.contributor_added",
"project.contributor_deleted",
"project.contributor_added_to_language",
"project.contributor_deleted_from_language"
]
}'
```
## Output
- Contributors added with explicit language scoping (no unscoped access)
- Contributor groups created for bulk role management across projects
- Team-level roles configured (admin vs. member distinction)
- SSO configured with IdP group-to-role mapping (Enterprise)
- Audit script identifying over-privileged users and unscoped contributors
- Webhook configured for access change notifications
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| `403` on contributor create | Caller lacks Admin role on the project | Use an admin-level token or get elevated by an Owner |
| Translator sees all languages | No `languages` array set on contributor | Update contributor with explicit language scope array |
| SSO login loop | Mismatched ACS URL | Verify ACS URL matches `https://app.lokalise.com/sso/saml/TEAM_ID/callback` exactly |
| Cannot remove Owner | Last owner protection | Transfer ownership to another admin first |
| `400` on group create | `admin_rights` contains invalid values | Valid values: `activity`, `statistics`, `settings`, `manage_keys`, `manage_screenshots`, `manage_languages`, `manage_contributors` |
| Group members don't see project | Group not assigned to the project | Use the groups/projects/add endpoint to link them |
## Examples
### List All Contributors Across All Projects
```bash
set -euo pipefail
# Quick CSV export of all contributors and their roles
curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
"https://api.lokalise.com/api2/projects?limit=100" \
| jq -r '.projects[].project_id' \
| while read -r pid; do
curl -s -H "X-Api-Token: ${LOKALISE_API_TOKEN}" \
"https://api.lokalise.com/api2/projects/${pid}/contributors?limit=500" \
| jq -r --arg pid "$pid" '.contributors[] | [$pid, .email, (.is_admin|tostring), (.is_reviewer|tostring), (.languages|length|tostring)] | @csv'
sleep 0.2
done | sort -t, -k2
```
### Principle of Least Privilege Setup
For a typical project with 3 languages (en, fr, de):
```typescript
// Product team: admin access for key management
await lok.contributors().create(PROJECT_ID, [{
email: 'pm@company.com', fullname: 'PM', is_admin: true, is_reviewer: true, languages: [],
}]);
// French translator: only French, translate only
await lok.contributors().create(PROJECT_ID, [{
email: 'fr@agency.com', fullname: 'FR Translator', is_admin: false, is_reviewer: false,
languages: [{ lang_iso: 'fr', is_writable: true }],
}]);
// German reviewer: German write + French read-only for reference
await lok.contributors().create(PROJECT_ID, [{
email: 'de@agency.com', fullname: 'DE Reviewer', is_admin: false, is_reviewer: true,
languages: [
{ lang_iso: 'de', is_writable: true },
{ lang_iso: 'fr', is_writable: false },
],
}]);
```
## Resources
- [Lokalise Contributors API](https://developers.lokalise.com/reference/list-all-contributors)
- [Team Users API](https://developers.lokalise.com/reference/list-team-users)
- [Contributor Groups API](https://developers.lokalise.com/reference/list-all-groups)
- [SSO Configuration Guide](https://docs.lokalise.com/en/articles/4866048-sso-saml)
- [Webhook Events Reference](https://developers.lokalise.com/reference/webhook-events)
## Next Steps
- After setting up permissions, run `lokalise-debug-bundle` to verify access scoping works as expected.
- For migration scenarios requiring bulk contributor setup, see `lokalise-migration-deep-dive`.
- Monitor access patterns over time with the audit script from Step 6.Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
sentry-enterprise-rbac
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".