posthog-enterprise-rbac

PostHog enterprise access control: organization/project hierarchy, member roles, scoped API keys, SSO/SAML configuration, and activity audit logging. Trigger: "posthog SSO", "posthog RBAC", "posthog enterprise", "posthog roles", "posthog permissions", "posthog SAML", "posthog access".

1,868 stars

byjeremylongshore

View on GitHub Installation ↓

Best use case

posthog-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using posthog-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/posthog-enterprise-rbac/SKILL.md --create-dirs "https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/main/plugins/saas-packs/posthog-pack/skills/posthog-enterprise-rbac/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/posthog-enterprise-rbac/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How posthog-enterprise-rbac Compares

Feature / Agent	posthog-enterprise-rbac	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

ChatGPT vs Claude for Agent Skills

Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.

SKILL.md Source

# PostHog Enterprise RBAC

## Overview

PostHog access control uses a three-level hierarchy: Organization > Project > Resource. Organizations contain multiple projects (e.g., production, staging), and each project has its own data, feature flags, and dashboards. Members are assigned roles at the organization level and can be restricted to specific projects.

## Prerequisites

- PostHog Cloud or self-hosted with enterprise license
- Organization admin role
- Multiple projects configured (one per environment)

## Access Control Model

| Level | Scope | Controls |
|-------|-------|----------|
| Organization | All projects | Member management, billing, SSO enforcement |
| Project | Single project | Feature flags, insights, dashboards, session recordings |
| API Key | Scoped operations | Personal API key with specific scopes |

**Member Roles:**

| Role | Level | Permissions |
|------|-------|------------|
| Owner | 15 | Full admin, billing, delete org |
| Admin | 8 | Manage members, all project settings |
| Member | 1 | View/create insights, flags, recordings |

## Instructions

### Step 1: Set Up Project-Level Access

```bash
set -euo pipefail
# Create a production project with access control
curl -X POST "https://app.posthog.com/api/organizations/$ORG_ID/projects/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production", "access_control": true}'

# Add a member to a specific project (level 1 = Member, 8 = Admin)
curl -X POST "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "USER_UUID", "level": 1}'

# List current project members
curl "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '.results[] | {email: .user.email, level, joined_at}'
```

### Step 2: Create Scoped API Keys

```bash
set -euo pipefail
# Read-only key for BI dashboard integration
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "bi-dashboard-readonly",
    "scopes": ["insight:read", "dashboard:read", "query:read"]
  }'

# Feature flag service key (read + write flags only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "flag-service",
    "scopes": ["feature_flag:read", "feature_flag:write"]
  }'

# Event export key (read events only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "data-export-readonly",
    "scopes": ["event:read", "query:read"]
  }'

# List all personal API keys
curl "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '.[] | {id, label, scopes, created_at}'
```

### Step 3: Configure SSO (Enterprise)

PostHog enterprise supports SAML 2.0 SSO. Configuration is in Organization Settings > Authentication:

1. **Enable SAML**: Add your IdP metadata URL (e.g., Okta, Azure AD, Google Workspace)
2. **Enforce SSO**: Toggle "Enforce SSO" to require all members to authenticate via IdP
3. **Auto-provisioning**: New IdP users are automatically created in PostHog with Member role
4. **Group mapping**: Map IdP groups to PostHog organization roles

```bash
set -euo pipefail
# Check SSO configuration status
curl "https://app.posthog.com/api/organizations/$ORG_ID/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '{
    enforce_sso: .enforce_sso,
    saml_configured: (.saml_enforcement != null),
    member_count: .membership_count
  }'
```

### Step 4: Audit Access and Changes

```bash
set -euo pipefail
# View recent activity log for permission changes
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=Organization" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '[.results[] | select(.activity | contains("member") or contains("role") or contains("api_key")) | {
    user: .user.email,
    activity,
    detail: .detail,
    created_at
  }] | .[:10]'

# View feature flag changes (who changed what)
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=FeatureFlag" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '[.results[:10][] | {
    user: .user.email,
    activity,
    item_id: .item_id,
    created_at
  }]'
```

### Step 5: Access Matrix

```yaml
# Recommended access matrix
access_matrix:
  engineering:
    staging_project:
      role: admin           # Full control in staging
      can_create_flags: true
      can_delete_flags: true
    production_project:
      role: member           # Read + create, no delete in prod
      can_create_flags: true
      can_delete_flags: false  # Require admin approval for flag deletion

  product:
    staging_project:
      role: member
      can_view_recordings: true
      can_create_insights: true
    production_project:
      role: member
      can_view_recordings: true
      can_create_insights: true

  bi_service_account:
    production_project:
      api_key_scopes: [insight:read, dashboard:read, query:read]
      # No write access

  flag_service_account:
    production_project:
      api_key_scopes: [feature_flag:read, feature_flag:write]
      # Only flag operations
```

## Error Handling

| Issue | Cause | Solution |
|-------|-------|----------|
| 403 on feature flag endpoint | Key missing required scope | Create key with `feature_flag:read` scope |
| Member sees prod data | Project access not restricted | Remove from prod project, add to staging only |
| SSO bypass possible | SSO not enforced | Enable "Enforce SSO" in org settings |
| Can't create scoped key | Not org admin | Only admins can create API keys |
| Activity log gaps | Self-hosted log rotation | Increase log retention in PostHog config |

## Output

- Project-level member access configured
- Scoped API keys for services (BI, flag service, export)
- SSO/SAML enforcement enabled
- Activity audit log queries
- Access matrix documented

## Resources

- [PostHog API Overview](https://posthog.com/docs/api)
- [PostHog Projects API](https://posthog.com/docs/api/projects)
- [PostHog Members API](https://posthog.com/docs/api/members)

## Next Steps

For migration strategies, see `posthog-migration-deep-dive`.

Related Skills

windsurf-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".

webflow-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".

vercel-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".

veeva-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".

vastai-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".

twinmind-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".

supabase-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".

speak-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".

snowflake-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".

windsurf-enterprise-sso

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".

shopify-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".

sentry-enterprise-rbac

1868

from jeremylongshore/claude-code-plugins-plus-skills

Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".