miro-enterprise-rbac

Configure Miro Enterprise features: organization management, SCIM provisioning, board-level access control, audit logs, and SSO integration via REST API v2. Trigger with phrases like "miro SSO", "miro RBAC", "miro enterprise", "miro SCIM", "miro permissions", "miro organization".

1,868 stars

byjeremylongshore

View on GitHub Installation ↓

Best use case

miro-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using miro-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/miro-enterprise-rbac/SKILL.md --create-dirs "https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/main/plugins/saas-packs/miro-pack/skills/miro-enterprise-rbac/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/miro-enterprise-rbac/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How miro-enterprise-rbac Compares

Feature / Agent	miro-enterprise-rbac	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

ChatGPT vs Claude for Agent Skills

Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.

SKILL.md Source

# Miro Enterprise RBAC

## Overview

Enterprise-grade access control for Miro REST API v2: organization and team management, SCIM user provisioning, board sharing with role-based permissions, and audit log access. Requires Miro Enterprise plan.

## Miro Access Hierarchy

```
Organization (Enterprise)
├── Team 1
│   ├── Board A (sharing: team only)
│   │   ├── Owner (full control)
│   │   ├── Co-owner (full control, can't delete board)
│   │   ├── Editor (can add/edit items)
│   │   ├── Commenter (can add comments only)
│   │   └── Viewer (read-only)
│   └── Board B
├── Team 2
│   └── Board C
└── Projects
    └── Project 1 (groups boards)
```

## Board Roles & Permissions

| Role | View | Comment | Edit Items | Share | Delete Board |
|------|------|---------|------------|-------|-------------|
| Viewer | Yes | No | No | No | No |
| Commenter | Yes | Yes | No | No | No |
| Editor | Yes | Yes | Yes | No | No |
| Co-owner | Yes | Yes | Yes | Yes | No |
| Owner | Yes | Yes | Yes | Yes | Yes |

## Board Member Management

```typescript
// List board members
// GET https://api.miro.com/v2/boards/{board_id}/members
const members = await miroFetch(`/v2/boards/${boardId}/members?limit=50`);
for (const member of members.data) {
  console.log(`${member.name} (${member.id}): role=${member.role}`);
}

// Share board with users
// POST https://api.miro.com/v2/boards/{board_id}/members
await miroFetch(`/v2/boards/${boardId}/members`, 'POST', {
  emails: ['dev@company.com', 'pm@company.com'],
  role: 'editor',        // 'viewer' | 'commenter' | 'editor' | 'coowner'
  message: 'You have been added to the sprint board',
});

// Update member role
// PATCH https://api.miro.com/v2/boards/{board_id}/members/{member_id}
await miroFetch(`/v2/boards/${boardId}/members/${memberId}`, 'PATCH', {
  role: 'commenter',
});

// Remove member from board
// DELETE https://api.miro.com/v2/boards/{board_id}/members/{member_id}
await miroFetch(`/v2/boards/${boardId}/members/${memberId}`, 'DELETE');
```

## Team Management (Enterprise)

```typescript
// List teams in organization
// GET https://api.miro.com/v2/orgs/{org_id}/teams (Enterprise)
const teams = await miroFetch(`/v2/orgs/${orgId}/teams?limit=50`);

// Get team details
// GET https://api.miro.com/v2/teams/{team_id}
const team = await miroFetch(`/v2/teams/${teamId}`);

// List team members
// GET https://api.miro.com/v2/teams/{team_id}/members
const teamMembers = await miroFetch(`/v2/teams/${teamId}/members?limit=100`);

// Invite user to team
// POST https://api.miro.com/v2/teams/{team_id}/members
await miroFetch(`/v2/teams/${teamId}/members`, 'POST', {
  emails: ['newdev@company.com'],
  role: 'member',         // 'member' | 'admin' | 'non_team'
});
```

## Organization Management (Enterprise)

```typescript
// Get organization info
// GET https://api.miro.com/v2/orgs/{org_id}
const org = await miroFetch(`/v2/orgs/${orgId}`);

// List organization members
// GET https://api.miro.com/v2/orgs/{org_id}/members
const orgMembers = await miroFetch(`/v2/orgs/${orgId}/members?limit=100`);
```

## SCIM User Provisioning (Enterprise)

Miro supports SCIM 2.0 for automated user lifecycle management from identity providers (Okta, Azure AD, OneLogin).

```typescript
// SCIM Base URL: https://miro.com/api/v1/scim/v2

// Create user via SCIM
// POST https://miro.com/api/v1/scim/v2/Users
const scimUser = await fetch('https://miro.com/api/v1/scim/v2/Users', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${scimToken}`,
    'Content-Type': 'application/scim+json',
  },
  body: JSON.stringify({
    schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'],
    userName: 'newuser@company.com',
    name: { givenName: 'New', familyName: 'User' },
    emails: [{ value: 'newuser@company.com', type: 'work', primary: true }],
    active: true,
  }),
});

// List users via SCIM
// GET https://miro.com/api/v1/scim/v2/Users
const users = await fetch('https://miro.com/api/v1/scim/v2/Users?filter=active eq true', {
  headers: { 'Authorization': `Bearer ${scimToken}` },
});

// Deactivate user (deprovision)
// PATCH https://miro.com/api/v1/scim/v2/Users/{user_id}
await fetch(`https://miro.com/api/v1/scim/v2/Users/${scimUserId}`, {
  method: 'PATCH',
  headers: {
    'Authorization': `Bearer ${scimToken}`,
    'Content-Type': 'application/scim+json',
  },
  body: JSON.stringify({
    schemas: ['urn:ietf:params:scim:api:messages:2.0:PatchOp'],
    Operations: [{ op: 'replace', path: 'active', value: false }],
  }),
});

// Manage team membership via SCIM Groups
// GET https://miro.com/api/v1/scim/v2/Groups
// POST/PATCH Groups to add/remove team members
```

## Board Sharing Policies

Control how boards can be shared at creation time:

```typescript
// Create board with restrictive sharing
await miroFetch('/v2/boards', 'POST', {
  name: 'Confidential Strategy Board',
  policy: {
    sharingPolicy: {
      access: 'private',                        // Only invited members
      inviteToAccountAndBoardLinkAccess: 'no_access',
      organizationAccess: 'private',             // Not visible to org
      teamAccess: 'private',                     // Not visible to team
    },
    permissionsPolicy: {
      collaborationToolsStartAccess: 'all_editors',
      copyAccess: 'team_members',                // Only team can copy
      sharingAccess: 'owners_and_coowners',       // Only owners can share
    },
  },
});

// Create board with open team access
await miroFetch('/v2/boards', 'POST', {
  name: 'Team Brainstorming',
  teamId: teamId,
  policy: {
    sharingPolicy: {
      access: 'edit',                            // Team can edit by default
      teamAccess: 'edit',
    },
    permissionsPolicy: {
      sharingAccess: 'team_members_and_collaborators',
    },
  },
});
```

## Audit Logs (Enterprise)

```typescript
// Get audit logs — requires 'auditlogs:read' scope
// GET https://api.miro.com/v2/orgs/{org_id}/audit-logs
const logs = await miroFetch(
  `/v2/orgs/${orgId}/audit-logs?limit=100&createdAfter=${startDate}`
);

// Log entries include:
// - User actions (board created, item modified, member added)
// - Admin actions (team created, user deactivated, settings changed)
// - API actions (OAuth token issued, SCIM provisioning)

for (const entry of logs.data) {
  console.log({
    action: entry.action,
    actor: entry.actor?.email,
    target: entry.context?.boardId ?? entry.context?.teamId,
    timestamp: entry.createdAt,
  });
}
```

## Access Control Middleware

Enforce board-level permissions in your application:

```typescript
type BoardRole = 'viewer' | 'commenter' | 'editor' | 'coowner' | 'owner';

const ROLE_HIERARCHY: Record<BoardRole, number> = {
  viewer: 0,
  commenter: 1,
  editor: 2,
  coowner: 3,
  owner: 4,
};

function hasMinimumRole(userRole: BoardRole, requiredRole: BoardRole): boolean {
  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];
}

async function requireBoardRole(boardId: string, userId: string, minRole: BoardRole) {
  const members = await miroFetch(`/v2/boards/${boardId}/members?limit=100`);
  const user = members.data.find((m: any) => m.id === userId);

  if (!user) {
    throw new Error('User is not a board member');
  }

  if (!hasMinimumRole(user.role, minRole)) {
    throw new Error(`Requires ${minRole} role, user has ${user.role}`);
  }
}

// Usage
await requireBoardRole(boardId, userId, 'editor');
// Throws if user doesn't have editor or higher role
```

## Required OAuth Scopes

| Feature | Required Scope |
|---------|---------------|
| Board members | `boards:read` (list) / `boards:write` (manage) |
| Team management | `team:read` / `team:write` |
| Organization | `organizations:read` |
| Audit logs | `auditlogs:read` |
| SCIM provisioning | SCIM token (separate from OAuth) |

## Error Handling

| Error | Status | Cause | Solution |
|-------|--------|-------|----------|
| `insufficientPermissions` | 403 | Missing scope | Add required scope in app settings |
| `memberNotFound` | 404 | User not on board | Invite user first |
| `teamNotFound` | 404 | Wrong team ID or no access | Verify org/team hierarchy |
| `orgNotFound` | 404 | Not Enterprise plan | Upgrade to Enterprise |
| `scimTokenInvalid` | 401 | Wrong SCIM token | Generate new token in admin console |

## Resources

- [Miro Board Members](https://developers.miro.com/docs/rest-api-reference-guide)
- [Permission Scopes](https://developers.miro.com/reference/scopes)
- [SCIM API Introduction](https://developers.miro.com/reference/scim-introduction)
- [Teams API Guide](https://developers.miro.com/docs/teams-api-securely-manage-boards-teams-at-scale)
- [SCIM Groups (Teams)](https://developers.miro.com/docs/groups)

## Next Steps

For major migrations, see `miro-migration-deep-dive`.

Related Skills

windsurf-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".

webflow-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".

vercel-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".

veeva-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".

vastai-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".

twinmind-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".

supabase-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".

speak-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".

snowflake-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".

windsurf-enterprise-sso

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".

shopify-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".

sentry-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".