windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
Best use case
windsurf-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
Teams using windsurf-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/windsurf-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How windsurf-enterprise-rbac Compares
| Feature / Agent | windsurf-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Windsurf Enterprise RBAC
## Overview
Manage enterprise Windsurf deployment: SSO/SAML configuration, role-based seat management, organization-wide AI policies, and admin portal controls. Covers Teams and Enterprise plan features.
## Prerequisites
- Windsurf Teams ($30/user/mo) or Enterprise (custom pricing) plan
- Organization admin access at windsurf.com/dashboard
- Identity provider for SSO (Enterprise only): Okta, Entra ID, Google Workspace
## Instructions
### Step 1: Configure SSO / SAML (Enterprise Only)
Navigate to Admin Dashboard > Security > SSO:
```yaml
# SSO Configuration Steps
sso_setup:
1_choose_idp:
supported: ["Okta", "Microsoft Entra ID", "Google Workspace", "Any SAML 2.0 IdP"]
2_configure_saml:
entity_id: "https://windsurf.com/saml/your-org-id"
acs_url: "https://windsurf.com/saml/callback"
# Get these from Admin Dashboard > SSO > SAML Configuration
3_idp_settings:
# Configure in your IdP:
sign_on_url: "https://windsurf.com/saml/login/your-org-id"
audience_uri: "https://windsurf.com/saml/your-org-id"
name_id_format: "emailAddress"
attribute_statements:
email: "user.email"
firstName: "user.firstName"
lastName: "user.lastName"
4_enforce:
enforce_sso: true # Block password login after SSO is verified
auto_provision: true # New IdP users get Windsurf seats automatically
domain_restriction: ["yourcompany.com"] # Only allow company emails
```
### Step 2: Configure Roles and Permissions
```yaml
# Windsurf RBAC Model
roles:
owner:
description: "Organization owner — full control"
permissions:
- Manage billing and subscription
- Add/remove admins
- Configure SSO
- View all analytics
- Manage all seats
admin:
description: "Team administrator"
permissions:
- Add/remove members
- Assign seat tiers (Pro, Free)
- View team analytics
- Configure org-wide settings
- Manage MCP server allowlist
member:
description: "Standard developer"
permissions:
- Use assigned AI features
- Configure personal settings
- Create workspace rules
- Cannot view team analytics
# Assign roles via Admin Dashboard > Members > Edit Role
```
### Step 3: Organization-Wide AI Policies
```yaml
# Admin Dashboard > Settings > AI Policies
org_policies:
# Control which AI models are available
allowed_models:
- "swe-1"
- "swe-1-lite"
- "claude-sonnet"
# Disable models not approved by security team
# Terminal command execution controls
cascade_terminal:
max_execution_level: "normal" # Options: turbo, normal, manual
global_deny_list:
- "rm -rf"
- "sudo"
- "curl | bash"
- "DROP TABLE"
- "format"
# Data controls
data_policies:
telemetry: "off" # No telemetry for enterprise
data_retention: "zero" # Zero-data retention
code_context_sharing: "workspace_only" # AI sees only current workspace
# Feature controls
feature_flags:
previews_enabled: true
mcp_enabled: true
workflows_enabled: true
auto_deploy_enabled: false # Disable direct deployment from IDE
```
### Step 4: Seat Management Workflow
```yaml
# Seat lifecycle management
seat_management:
onboarding:
1. "Admin invites user via Admin Dashboard > Members > Invite"
2. "User receives email with SSO login link"
3. "SSO authenticates user with company IdP"
4. "User gets assigned tier (Pro/Free) based on role"
5. "User opens project — .windsurfrules provides context"
offboarding:
1. "Disable user in IdP (SSO will auto-block)"
2. "Remove seat in Admin Dashboard > Members"
3. "Seat becomes available for reassignment"
4. "User's local memories/config remain on their machine"
tier_changes:
upgrade: "Admin Dashboard > Members > Select user > Change to Pro"
downgrade: "Admin Dashboard > Members > Select user > Change to Free"
note: "Downgraded users keep Supercomplete, lose Cascade Write mode"
```
### Step 5: Audit and Compliance
```yaml
# Admin Dashboard > Analytics > Audit
audit_capabilities:
available:
- User login events (SSO audit trail)
- Credit usage per user per day
- Feature usage patterns
- Seat assignment changes
- Admin actions
exportable:
- CSV export of member usage
- API access for SIEM integration (Enterprise)
compliance_certifications:
- SOC 2 Type II
- FedRAMP High
- HIPAA BAA (on request)
- GDPR compliant
```
### Step 6: Service Keys for API Access (Enterprise)
```yaml
# For programmatic access to admin APIs
service_keys:
purpose: "CI/CD integration, usage reporting, automated provisioning"
create: "Admin Dashboard > Settings > Service Keys > Create"
scopes:
- "admin:read" — read analytics and member data
- "admin:write" — manage members and settings
- "usage:read" — read usage metrics
rotation: "Rotate every 90 days, revoke immediately on compromise"
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| SSO login fails | SAML certificate expired | Update certificate in IdP and Windsurf |
| User can't access Cascade | No Pro seat assigned | Assign Pro tier in Admin Dashboard |
| Admin can't see analytics | Wrong role | Upgrade to admin role in Dashboard |
| New user auto-provisioned to wrong tier | Default tier not set | Configure default seat tier in Settings |
| Service key rejected | Expired or wrong scope | Generate new key with correct scopes |
## Examples
### Quick Admin Dashboard Tasks
```
Add user: Admin Dashboard > Members > Invite > email@company.com
Remove user: Members > Select > Remove from organization
Change tier: Members > Select > Change Plan > Pro/Free
View usage: Analytics > Overview (or per-member view)
```
### Team Structure Example
```yaml
engineering_org:
platform_team:
seats: 8
tier: Pro
admins: ["tech-lead@company.com"]
frontend_team:
seats: 6
tier: Pro
admins: ["frontend-lead@company.com"]
design_team:
seats: 3
tier: Free # Mainly CSS, limited AI use
contractors:
seats: 4
tier: Free
note: "Temporary, upgrade to Pro if AI use increases"
```
## Resources
- [Windsurf Admin Guide](https://docs.windsurf.com/windsurf/guide-for-admins)
- [Windsurf Enterprise](https://windsurf.com/enterprise)
- [Windsurf Security](https://windsurf.com/security)
## Next Steps
For migration strategies, see `windsurf-migration-deep-dive`.Related Skills
windsurf-webhooks-events
Build Windsurf extensions and integrate with VS Code extension API events. Use when building custom Windsurf extensions, tracking editor events, or integrating Windsurf with external tools via extension development. Trigger with phrases like "windsurf extension", "windsurf events", "windsurf plugin", "build windsurf extension", "windsurf API".
windsurf-upgrade-migration
Upgrade Windsurf IDE, migrate settings from VS Code or Cursor, and handle breaking changes. Use when upgrading Windsurf versions, migrating from another editor, or handling configuration changes after updates. Trigger with phrases like "upgrade windsurf", "windsurf update", "migrate to windsurf", "windsurf from cursor", "windsurf from vscode".
windsurf-security-basics
Apply Windsurf security best practices for workspace isolation, data privacy, and secret protection. Use when securing sensitive code from AI indexing, configuring telemetry, or auditing Windsurf security posture. Trigger with phrases like "windsurf security", "windsurf secrets", "windsurf privacy", "windsurf data protection", "codeiumignore".
windsurf-sdk-patterns
Apply production-ready Windsurf workspace configuration and Cascade interaction patterns. Use when configuring .windsurfrules, workspace rules, MCP servers, or establishing team coding standards for Windsurf AI. Trigger with phrases like "windsurf patterns", "windsurf best practices", "windsurf config patterns", "windsurfrules", "windsurf workspace".
windsurf-reliability-patterns
Implement reliable Cascade workflows with checkpoints, rollback, and incremental editing. Use when building fault-tolerant AI coding workflows, preventing Cascade from breaking builds, or establishing safe practices for multi-file AI edits. Trigger with phrases like "windsurf reliability", "cascade safety", "windsurf rollback", "cascade checkpoint", "safe cascade workflow".
windsurf-reference-architecture
Implement Windsurf reference architecture with optimal project structure and AI configuration. Use when designing workspace configuration for Windsurf, setting up team standards, or establishing architecture patterns that maximize Cascade effectiveness. Trigger with phrases like "windsurf architecture", "windsurf project structure", "windsurf best practices", "windsurf team setup", "optimize for cascade".
windsurf-rate-limits
Understand and manage Windsurf credit system, usage limits, and model selection. Use when running out of credits, optimizing AI usage costs, or understanding the credit-per-model pricing structure. Trigger with phrases like "windsurf credits", "windsurf rate limit", "windsurf usage", "windsurf out of credits", "windsurf model costs".
windsurf-prod-checklist
Execute Windsurf production readiness checklist for team and enterprise deployments. Use when rolling out Windsurf to a team, preparing for enterprise deployment, or auditing production configuration. Trigger with phrases like "windsurf production", "windsurf team rollout", "windsurf go-live", "windsurf enterprise deploy", "windsurf checklist".
windsurf-policy-guardrails
Implement team-wide Windsurf usage policies, code quality gates, and Cascade guardrails. Use when setting up code review policies for AI-generated code, configuring Turbo mode safety controls, or implementing CI gates for Cascade output. Trigger with phrases like "windsurf policy", "windsurf guardrails", "cascade safety rules", "windsurf team rules", "AI code policy".
windsurf-performance-tuning
Optimize Windsurf IDE performance: indexing speed, Cascade responsiveness, and memory usage. Use when Windsurf is slow, indexing takes too long, Cascade times out, or the IDE uses too much memory. Trigger with phrases like "windsurf slow", "windsurf performance", "optimize windsurf", "windsurf memory", "cascade slow", "indexing slow".
windsurf-observability
Monitor Windsurf AI adoption, feature usage, and team productivity metrics. Use when tracking AI feature usage, measuring ROI, setting up dashboards, or analyzing Cascade effectiveness across your team. Trigger with phrases like "windsurf monitoring", "windsurf metrics", "windsurf analytics", "windsurf usage", "windsurf adoption".
windsurf-multi-env-setup
Configure Windsurf IDE and Cascade AI across team members and project environments. Use when onboarding teams to Windsurf, setting up per-project Cascade configuration, or managing Windsurf settings across development, staging, and production contexts. Trigger with phrases like "windsurf team setup", "windsurf environments", "windsurf multi-project", "windsurf team config", "cascade rules per env".