replit-enterprise-rbac
Configure Replit Teams roles, SSO/SAML, custom groups, and organization-level access control. Use when setting up team permissions, configuring SSO, managing deployment access, or auditing organization security on Replit. Trigger with phrases like "replit SSO", "replit RBAC", "replit enterprise", "replit roles", "replit permissions", "replit SAML", "replit teams admin".
claude-codecodexopenclaw
Allowed Tools
ReadWriteEditBash(curl:*)
Provided by Plugin
replit-pack
Claude Code skill pack for Replit (30 skills)
Installation
This skill is included in the replit-pack plugin:
/plugin install replit-pack@claude-code-plugins-plusClick to copy
Instructions
Replit Enterprise RBAC
Overview
Manage team access to Replit workspaces, deployments, and AI features. Covers the built-in role system (Admin, Manager, Editor, Viewer), custom groups (Enterprise only), SSO/SAML integration, deployment permissions, and audit logging.
Prerequisites
- Replit Teams or Enterprise plan
- Organization Owner or Admin role
- SSO identity provider (Enterprise only): Okta, Azure AD, Google Workspace
Role Hierarchy
| Role | Create Repls | Deploy | Manage Members | Billing | AI Features |
|---|---|---|---|---|---|
| Owner | Yes | All | Yes | Yes | Yes |
| Admin | Yes | All | Yes | View only | Yes |
| Manager | Yes | Staging | Add/remove | No | Yes |
| Editor | Yes | No | No | No | Yes |
| Viewer | No | No | No | No | No |
Instructions
Step 1: Configure Organization Roles
In Organization Settings > Members:
1. Invite members:
- Click "Invite" > enter email
- Select role: Admin, Manager, Editor, or Viewer
- Member receives email invitation
2. Bulk management (2025+):
- CSV export of all members
- Sort/filter by role, activity, last login
- Bulk role changes
3. Role assignment strategy:
- Owners: 1-2 (billing + full admin)
- Admins: team leads (manage members + deploy)
- Managers: senior devs (deploy to staging)
- Editors: developers (create + code)
- Viewers: stakeholders (read-only access)
Step 2: Custom Groups (Enterprise Only)
Enterprise plan enables custom permission groups:
1. Organization Settings > Groups
2. Create group: e.g., "Backend Team"
3. Assign permissions:
- Access to specific Repls
- Deployment permissions (staging only, or all)
- AI feature access
4. Add members to group
Example groups:
- "Frontend Team": access to UI Repls, deploy to staging
- "DevOps": all Repls, deploy to production, manage secrets
- "Contractors": specific Repls only, no deployment access
- "QA": read all, deploy to staging, no production
Step 3: SSO/SAML Configuration (Enterprise Only)
Organization Settings > Security > SSO:
1. Choose provider:
- Okta
- Azure Active Directory
- Google Workspace
- Any SAML 2.0 compatible IdP
2. Configure SAML:
- ACS URL: provided by Replit
- Entity ID: provided by Replit
- Certificate: from your IdP
- Map IdP groups to Replit roles
3. Enable enforcement:
- "Require SSO": blocks password-based login
- Session timeout: recommended 12 hours
- IdP-initiated logout support
4. Test:
- Try login with SSO before enforcing
- Verify role mapping works correctly
- Test session timeout behavior
Step 4: Deployment Permission Controls
Control who can deploy and where:
Organization Settings > Deployments > Permissions:
Production deployments:
- Restrict to Admin + Owner only
- Require approval workflow (Enterprise)
- Custom domain management: Admin only
Staging deployments:
- Allow Managers and above
- Auto-deploy from staging branch
Development:
- All Editors can run in Workspace
- Dev database access for all team members
Step 5: Audit Logging
# View recent team activity
curl "https://replit.com/api/v1/teams/TEAM_ID/audit-log?limit=50" \
-H "Authorization: Bearer $REPLIT_TOKEN" | \
jq '.events[] | {user, action, resource, timestamp}'
# Common audit events:
# - member.invited
# - member.removed
# - member.role_changed
# - repl.created
# - repl.deleted
# - deployment.created
# - deployment.rolled_back
# - secret.created
# - secret.deleted
Enterprise audit features:
- Exportable audit logs (CSV)
- 90-day retention
- Filter by user, action, resource
- API access for SIEM integration
Step 6: Quarterly Access Review
## Access Review Checklist (run quarterly)
1. Export member list from Organization Settings
2. Review each member:
- [ ] Last active date within 30 days?
- [ ] Role appropriate for current responsibilities?
- [ ] Still on the team/project?
3. Actions:
- Remove members not active in 30+ days
- Downgrade over-privileged members
- Upgrade members needing more access
4. Document changes and rationale
5. Verify SSO group mappings still accurate
Cost impact:
- Each removed seat saves $25-40/month
- Quarterly review prevents seat creep
Step 7: AI Feature Controls
Replit AI features (Agent, Assistant, Ghostwriter):
Organization Settings > AI Features:
- Enable/disable AI for entire organization
- Per-role AI access (Enterprise)
- Usage tracking per member
Controls:
- Agent: can create files, install packages, deploy
- Assistant: code suggestions, chat
- Ghostwriter: inline completions
Recommendation:
- Enable AI for all developers (Editors+)
- Restrict Agent deployment to Managers+
- Monitor AI usage via dashboard
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| Member can't deploy | Insufficient role | Promote to Manager or Admin |
| SSO redirect loop | Wrong ACS URL | Verify callback URL matches Replit config |
| Seat limit exceeded | Plan capacity reached | Remove inactive members or upgrade |
| Custom group not working | Not on Enterprise plan | Groups require Enterprise |
| AI features disabled | Org-level toggle off | Enable in Organization Settings > AI |
Resources
Next Steps
For data migration patterns, see replit-migration-deep-dive.