navan-enterprise-rbac
Configure Navan admin roles, travel policies, approval workflows, and department-level access controls. Use when setting up enterprise RBAC, policy enforcement, or approval chains in Navan. Trigger with "navan rbac", "navan roles", "navan travel policy", "navan approval workflow".
Best use case
navan-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Navan admin roles, travel policies, approval workflows, and department-level access controls. Use when setting up enterprise RBAC, policy enforcement, or approval chains in Navan. Trigger with "navan rbac", "navan roles", "navan travel policy", "navan approval workflow".
Teams using navan-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/navan-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How navan-enterprise-rbac Compares
| Feature / Agent | navan-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Navan admin roles, travel policies, approval workflows, and department-level access controls. Use when setting up enterprise RBAC, policy enforcement, or approval chains in Navan. Trigger with "navan rbac", "navan roles", "navan travel policy", "navan approval workflow".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
SKILL.md Source
# Navan Enterprise RBAC
## Overview
Navan's enterprise tier provides granular role-based access control, configurable travel policies, and multi-tier approval workflows. The platform enforces in-policy vs out-of-policy bookings at the point of purchase — travelers see policy-compliant options highlighted and must justify out-of-policy selections through approval chains. This skill covers the admin role hierarchy, policy rule configuration, department-scoped access, and API-driven policy management.
## Prerequisites
- Navan enterprise account with Global Admin or Travel Admin access
- OAuth 2.0 credentials with admin-scoped permissions (see `navan-install-auth`)
- Organizational hierarchy defined (departments, cost centers, reporting lines)
- Dedicated Customer Success Manager contact (included with enterprise tier)
## Instructions
### Step 1: Understand the Navan Role Hierarchy
```
Global Admin
├── Travel Admin — Manage travel policies, view all bookings
├── Expense Admin — Manage expense policies, approve/reject reports
├── Finance Admin — View spend analytics, export financial reports
├── Department Manager — Approve bookings/expenses for direct reports
├── Arranger — Book travel on behalf of other employees
└── Traveler — Book own travel within policy, submit expenses
```
| Role | Book Travel | Approve | View All Bookings | Edit Policies | Manage Users |
|------|-------------|---------|-------------------|---------------|--------------|
| Global Admin | Yes | Yes | Yes | Yes | Yes |
| Travel Admin | Yes | Yes | Yes | Yes | No |
| Expense Admin | No | Yes | Expenses Only | Expense Only | No |
| Finance Admin | No | No | Yes (read-only) | No | No |
| Dept Manager | Yes | Own Dept | Own Dept | No | No |
| Arranger | Others | No | Arranged Only | No | No |
| Traveler | Self | No | Own Only | No | No |
### Step 2: Configure Travel Policy Rules via API
```typescript
const accessToken = process.env.NAVAN_ACCESS_TOKEN!;
// Retrieve current travel policy
const policyRes = await fetch('https://api.navan.com/v1/travel-policies', {
headers: { 'Authorization': `Bearer ${accessToken}` }
});
const policies = await policyRes.json();
// Create a department-specific policy
const newPolicy = await fetch('https://api.navan.com/v1/travel-policies', {
method: 'POST',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
name: 'Engineering Department Policy',
department_ids: ['dept-eng-001'],
rules: {
flight: {
max_price: 800,
cabin_class: 'economy',
advance_booking_days: 14,
allow_premium_economy: true,
allow_business_class: false
},
hotel: {
max_nightly_rate: 250,
max_star_rating: 4,
preferred_chains: ['marriott', 'hilton', 'hyatt']
},
car_rental: {
max_daily_rate: 75,
max_class: 'intermediate',
preferred_vendors: ['enterprise', 'national']
},
out_of_policy: {
action: 'require_approval', // 'block' | 'require_approval' | 'warn'
require_justification: true,
auto_escalate_above: 1500 // Auto-escalate to finance above this amount
}
}
})
});
```
### Step 3: Set Up Approval Workflows
```typescript
// Configure multi-tier approval chain
const approvalWorkflow = await fetch('https://api.navan.com/v1/approval-workflows', {
method: 'POST',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
name: 'Standard Travel Approval',
applies_to: ['booking', 'expense'],
tiers: [
{
order: 1,
approver_type: 'direct_manager',
conditions: { min_amount: 0 },
auto_approve_below: 200,
timeout_hours: 48,
timeout_action: 'escalate'
},
{
order: 2,
approver_type: 'department_head',
conditions: { min_amount: 1000 },
timeout_hours: 72,
timeout_action: 'escalate'
},
{
order: 3,
approver_type: 'finance_admin',
conditions: { min_amount: 5000 },
timeout_hours: 24,
timeout_action: 'notify_global_admin'
}
],
out_of_policy_override: {
always_require_tier: 2,
justification_required: true
}
})
});
```
### Step 4: Assign Users to Departments and Roles
```typescript
// Bulk role assignment for department onboarding
async function assignDepartmentRoles(
departmentId: string,
userEmails: string[],
role: string
): Promise<void> {
for (const email of userEmails) {
const res = await fetch('https://api.navan.com/v1/users/role-assignment', {
method: 'POST',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
email,
role,
department_id: departmentId,
effective_date: new Date().toISOString()
})
});
if (!res.ok) {
console.error(`Failed to assign ${role} to ${email}: HTTP ${res.status}`);
} else {
console.log(`Assigned ${role} to ${email} in dept ${departmentId}`);
}
}
}
// Example: onboard engineering managers
await assignDepartmentRoles('dept-eng-001', [
'manager1@company.com',
'manager2@company.com'
], 'department_manager');
```
### Step 5: Audit Role Assignments
```bash
# List all users with admin roles
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/users?role=admin&limit=100' | python3 -m json.tool
# Get policy violations report
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/reports/policy-violations?start_date=2026-01-01' \
| python3 -m json.tool
```
## Output
A fully configured RBAC system with department-scoped travel policies, multi-tier approval workflows, and role assignments for the organizational hierarchy. Travelers see policy-compliant options at booking time, out-of-policy requests route through the approval chain, and admins have audit visibility into policy violations.
## Error Handling
| Error | Code | Solution |
|-------|------|----------|
| Insufficient admin permissions | 403 | Requesting user needs Global Admin or Travel Admin role |
| Department not found | 404 | Verify department_id exists; create via admin dashboard first |
| Conflicting policy rules | 409 | Two policies targeting the same department; deactivate the old one first |
| Invalid approval chain | 400 | Ensure tier order is sequential and approver_type values are valid |
| User not found | 404 | Verify email matches an active Navan user; check SCIM sync status |
## Examples
**Check a user's effective policy:**
```bash
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/users/user@company.com/effective-policy' \
| python3 -m json.tool
```
**Export policy compliance summary:**
```bash
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/reports/policy-compliance?period=monthly' \
| python3 -m json.tool
```
## Resources
- [Navan Help Center](https://app.navan.com/app/helpcenter) — Admin role configuration and policy setup guides
- [Navan Security](https://navan.com/security) — SOC 2, ISO 27001, PCI DSS compliance documentation
- [Navan Integrations](https://navan.com/integrations) — SCIM and directory sync for automated role management
## Next Steps
After configuring RBAC, see `navan-security-basics` for SSO/SAML enforcement and credential hardening, or `navan-observability` for monitoring policy compliance and booking patterns.Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
sentry-enterprise-rbac
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".