home / skills / jeremylongshore / claude-code-plugins-plus-skills / clay-enterprise-rbac

clay-enterprise-rbac skill

safe

/plugins/saas-packs/clay-pack/skills/clay-enterprise-rbac

This skill helps you implement enterprise-grade RBAC and SSO for Clay, enabling precise access control and organization management across teams.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill clay-enterprise-rbac

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

5.2 KB

---
name: clay-enterprise-rbac
description: |
  Configure Clay enterprise SSO, role-based access control, and organization management.
  Use when implementing SSO integration, configuring role-based permissions,
  or setting up organization-level controls for Clay.
  Trigger with phrases like "clay SSO", "clay RBAC",
  "clay enterprise", "clay roles", "clay permissions", "clay SAML".
allowed-tools: Read, Write, Edit
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Clay Enterprise RBAC

## Overview
Configure enterprise-grade access control for Clay integrations.

## Prerequisites
- Clay Enterprise tier subscription
- Identity Provider (IdP) with SAML/OIDC support
- Understanding of role-based access patterns
- Audit logging infrastructure

## Role Definitions

| Role | Permissions | Use Case |
|------|-------------|----------|
| Admin | Full access | Platform administrators |
| Developer | Read/write, no delete | Active development |
| Viewer | Read-only | Stakeholders, auditors |
| Service | API access only | Automated systems |

## Role Implementation

```typescript
enum ClayRole {
  Admin = 'admin',
  Developer = 'developer',
  Viewer = 'viewer',
  Service = 'service',
}

interface ClayPermissions {
  read: boolean;
  write: boolean;
  delete: boolean;
  admin: boolean;
}

const ROLE_PERMISSIONS: Record<ClayRole, ClayPermissions> = {
  admin: { read: true, write: true, delete: true, admin: true },
  developer: { read: true, write: true, delete: false, admin: false },
  viewer: { read: true, write: false, delete: false, admin: false },
  service: { read: true, write: true, delete: false, admin: false },
};

function checkPermission(
  role: ClayRole,
  action: keyof ClayPermissions
): boolean {
  return ROLE_PERMISSIONS[role][action];
}
```

## SSO Integration

### SAML Configuration

```typescript
// Clay SAML setup
const samlConfig = {
  entryPoint: 'https://idp.company.com/saml/sso',
  issuer: 'https://clay.com/saml/metadata',
  cert: process.env.SAML_CERT,
  callbackUrl: 'https://app.yourcompany.com/auth/clay/callback',
};

// Map IdP groups to Clay roles
const groupRoleMapping: Record<string, ClayRole> = {
  'Engineering': ClayRole.Developer,
  'Platform-Admins': ClayRole.Admin,
  'Data-Team': ClayRole.Viewer,
};
```

### OAuth2/OIDC Integration

```typescript
import { OAuth2Client } from '@clay/sdk';

const oauthClient = new OAuth2Client({
  clientId: process.env.CLAY_OAUTH_CLIENT_ID!,
  clientSecret: process.env.CLAY_OAUTH_CLIENT_SECRET!,
  redirectUri: 'https://app.yourcompany.com/auth/clay/callback',
  scopes: ['read', 'write'],
});
```

## Organization Management

```typescript
interface ClayOrganization {
  id: string;
  name: string;
  ssoEnabled: boolean;
  enforceSso: boolean;
  allowedDomains: string[];
  defaultRole: ClayRole;
}

async function createOrganization(
  config: ClayOrganization
): Promise<void> {
  await clayClient.organizations.create({
    ...config,
    settings: {
      sso: {
        enabled: config.ssoEnabled,
        enforced: config.enforceSso,
        domains: config.allowedDomains,
      },
    },
  });
}
```

## Access Control Middleware

```typescript
function requireClayPermission(
  requiredPermission: keyof ClayPermissions
) {
  return async (req: Request, res: Response, next: NextFunction) => {
    const user = req.user as { clayRole: ClayRole };

    if (!checkPermission(user.clayRole, requiredPermission)) {
      return res.status(403).json({
        error: 'Forbidden',
        message: `Missing permission: ${requiredPermission}`,
      });
    }

    next();
  };
}

// Usage
app.delete('/clay/resource/:id',
  requireClayPermission('delete'),
  deleteResourceHandler
);
```

## Audit Trail

```typescript
interface ClayAuditEntry {
  timestamp: Date;
  userId: string;
  role: ClayRole;
  action: string;
  resource: string;
  success: boolean;
  ipAddress: string;
}

async function logClayAccess(entry: ClayAuditEntry): Promise<void> {
  await auditDb.insert(entry);

  // Alert on suspicious activity
  if (entry.action === 'delete' && !entry.success) {
    await alertOnSuspiciousActivity(entry);
  }
}
```

## Instructions

### Step 1: Define Roles
Map organizational roles to Clay permissions.

### Step 2: Configure SSO
Set up SAML or OIDC integration with your IdP.

### Step 3: Implement Middleware
Add permission checks to API endpoints.

### Step 4: Enable Audit Logging
Track all access for compliance.

## Output
- Role definitions implemented
- SSO integration configured
- Permission middleware active
- Audit trail enabled

## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| SSO login fails | Wrong callback URL | Verify IdP config |
| Permission denied | Missing role mapping | Update group mappings |
| Token expired | Short TTL | Refresh token logic |
| Audit gaps | Async logging failed | Check log pipeline |

## Examples

### Quick Permission Check
```typescript
if (!checkPermission(user.role, 'write')) {
  throw new ForbiddenError('Write permission required');
}
```

## Resources
- [Clay Enterprise Guide](https://docs.clay.com/enterprise)
- [SAML 2.0 Specification](https://wiki.oasis-open.org/security/FrontPage)
- [OpenID Connect Spec](https://openid.net/specs/openid-connect-core-1_0.html)

## Next Steps
For major migrations, see `clay-migration-deep-dive`.

Overview

This skill configures Clay enterprise SSO, role-based access control, and organization management for secure, auditable deployments. It provides role definitions, IdP mappings for SAML/OIDC, middleware for permission enforcement, and audit logging patterns. Use it to standardize access across teams and automated systems.

How this skill works

The skill defines a small role model (admin, developer, viewer, service) with explicit read/write/delete/admin flags and a checkPermission helper to enforce actions. It supplies SAML and OAuth/OIDC integration examples and group-to-role mapping to assign roles from IdP claims. Organization-level settings let you require SSO and restrict allowed domains. Middleware hooks gate API endpoints and audit logging captures access events for compliance and alerting.

When to use it

Implement SSO (SAML or OIDC) for Clay enterprise users
Map IdP groups to Clay roles during onboarding
Enforce least-privilege using role-based permission checks in APIs
Set up organization-wide SSO enforcement and allowed domains
Add audit trails and alerts for sensitive operations like deletes

Best practices

Map IdP groups to roles centrally and keep mappings versioned
Enforce SSO for all users in production organizations to prevent shadow accounts
Use middleware to centralize permission checks rather than sprinkling role logic
Log every access attempt with success/failure, user, IP, and action for audits
Alert on suspicious patterns (failed deletes, repeated auth failures) and monitor TTLs for tokens

Example use cases

Onboard a new engineering team: map IdP group to Developer role and provision default org settings
Lock down production: enable enforceSso and restrict allowedDomains for the organization
Automate services: create Service role accounts with API-only access and scoped permissions
Protect delete operations: attach requireClayPermission('delete') middleware and log attempts
Migrate users to a new IdP: update groupRoleMapping and verify audit logs for gaps

FAQ

What prerequisites are required?

You need Clay Enterprise tier, an IdP supporting SAML or OIDC, and an audit logging system in place.

How do I handle token expiration?

Implement refresh token logic in your OAuth client and surface token errors to the user flow so re-authentication is smooth.