playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / retellai-enterprise-rbac

retellai-enterprise-rbac skill

/plugins/saas-packs/retellai-pack/skills/retellai-enterprise-rbac

This skill helps configure Retell AI enterprise SSO, RBAC, and org controls to secure access and streamline administration.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill retellai-enterprise-rbac

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
5.5 KB
---
name: retellai-enterprise-rbac
description: |
  Configure Retell AI enterprise SSO, role-based access control, and organization management.
  Use when implementing SSO integration, configuring role-based permissions,
  or setting up organization-level controls for Retell AI.
  Trigger with phrases like "retellai SSO", "retellai RBAC",
  "retellai enterprise", "retellai roles", "retellai permissions", "retellai SAML".
allowed-tools: Read, Write, Edit
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Retell AI Enterprise RBAC

## Overview
Configure enterprise-grade access control for Retell AI integrations.

## Prerequisites
- Retell AI Enterprise tier subscription
- Identity Provider (IdP) with SAML/OIDC support
- Understanding of role-based access patterns
- Audit logging infrastructure

## Role Definitions

| Role | Permissions | Use Case |
|------|-------------|----------|
| Admin | Full access | Platform administrators |
| Developer | Read/write, no delete | Active development |
| Viewer | Read-only | Stakeholders, auditors |
| Service | API access only | Automated systems |

## Role Implementation

```typescript
enum Retell AIRole {
  Admin = 'admin',
  Developer = 'developer',
  Viewer = 'viewer',
  Service = 'service',
}

interface Retell AIPermissions {
  read: boolean;
  write: boolean;
  delete: boolean;
  admin: boolean;
}

const ROLE_PERMISSIONS: Record<Retell AIRole, Retell AIPermissions> = {
  admin: { read: true, write: true, delete: true, admin: true },
  developer: { read: true, write: true, delete: false, admin: false },
  viewer: { read: true, write: false, delete: false, admin: false },
  service: { read: true, write: true, delete: false, admin: false },
};

function checkPermission(
  role: Retell AIRole,
  action: keyof Retell AIPermissions
): boolean {
  return ROLE_PERMISSIONS[role][action];
}
```

## SSO Integration

### SAML Configuration

```typescript
// Retell AI SAML setup
const samlConfig = {
  entryPoint: 'https://idp.company.com/saml/sso',
  issuer: 'https://retellai.com/saml/metadata',
  cert: process.env.SAML_CERT,
  callbackUrl: 'https://app.yourcompany.com/auth/retellai/callback',
};

// Map IdP groups to Retell AI roles
const groupRoleMapping: Record<string, Retell AIRole> = {
  'Engineering': Retell AIRole.Developer,
  'Platform-Admins': Retell AIRole.Admin,
  'Data-Team': Retell AIRole.Viewer,
};
```

### OAuth2/OIDC Integration

```typescript
import { OAuth2Client } from '@retellai/sdk';

const oauthClient = new OAuth2Client({
  clientId: process.env.RETELLAI_OAUTH_CLIENT_ID!,
  clientSecret: process.env.RETELLAI_OAUTH_CLIENT_SECRET!,
  redirectUri: 'https://app.yourcompany.com/auth/retellai/callback',
  scopes: ['read', 'write'],
});
```

## Organization Management

```typescript
interface Retell AIOrganization {
  id: string;
  name: string;
  ssoEnabled: boolean;
  enforceSso: boolean;
  allowedDomains: string[];
  defaultRole: Retell AIRole;
}

async function createOrganization(
  config: Retell AIOrganization
): Promise<void> {
  await retellaiClient.organizations.create({
    ...config,
    settings: {
      sso: {
        enabled: config.ssoEnabled,
        enforced: config.enforceSso,
        domains: config.allowedDomains,
      },
    },
  });
}
```

## Access Control Middleware

```typescript
function requireRetell AIPermission(
  requiredPermission: keyof Retell AIPermissions
) {
  return async (req: Request, res: Response, next: NextFunction) => {
    const user = req.user as { retellaiRole: Retell AIRole };

    if (!checkPermission(user.retellaiRole, requiredPermission)) {
      return res.status(403).json({
        error: 'Forbidden',
        message: `Missing permission: ${requiredPermission}`,
      });
    }

    next();
  };
}

// Usage
app.delete('/retellai/resource/:id',
  requireRetell AIPermission('delete'),
  deleteResourceHandler
);
```

## Audit Trail

```typescript
interface Retell AIAuditEntry {
  timestamp: Date;
  userId: string;
  role: Retell AIRole;
  action: string;
  resource: string;
  success: boolean;
  ipAddress: string;
}

async function logRetell AIAccess(entry: Retell AIAuditEntry): Promise<void> {
  await auditDb.insert(entry);

  // Alert on suspicious activity
  if (entry.action === 'delete' && !entry.success) {
    await alertOnSuspiciousActivity(entry);
  }
}
```

## Instructions

### Step 1: Define Roles
Map organizational roles to Retell AI permissions.

### Step 2: Configure SSO
Set up SAML or OIDC integration with your IdP.

### Step 3: Implement Middleware
Add permission checks to API endpoints.

### Step 4: Enable Audit Logging
Track all access for compliance.

## Output
- Role definitions implemented
- SSO integration configured
- Permission middleware active
- Audit trail enabled

## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| SSO login fails | Wrong callback URL | Verify IdP config |
| Permission denied | Missing role mapping | Update group mappings |
| Token expired | Short TTL | Refresh token logic |
| Audit gaps | Async logging failed | Check log pipeline |

## Examples

### Quick Permission Check
```typescript
if (!checkPermission(user.role, 'write')) {
  throw new ForbiddenError('Write permission required');
}
```

## Resources
- [Retell AI Enterprise Guide](https://docs.retellai.com/enterprise)
- [SAML 2.0 Specification](https://wiki.oasis-open.org/security/FrontPage)
- [OpenID Connect Spec](https://openid.net/specs/openid-connect-core-1_0.html)

## Next Steps
For major migrations, see `retellai-migration-deep-dive`.

Overview

This skill configures Retell AI enterprise SSO, role-based access control, and organization management for secure, auditable deployments. It guides mapping IdP groups to roles, enforcing SSO and domain controls, and adding permission middleware and audit logging. Use it to centralize access, reduce privilege creep, and meet compliance needs.

How this skill works

The skill defines a small set of roles (admin, developer, viewer, service) with explicit permissions and provides code patterns to check permissions at runtime. It includes SAML and OAuth2/OIDC integration examples to map IdP groups to Retell AI roles and organization settings to enforce SSO and allowed domains. Middleware snippets and audit entry models show how to enforce checks and log actions for compliance and alerting.

When to use it

  • Implement SSO integration for Retell AI (SAML or OIDC)
  • Set up role-based permissions for teams and services
  • Enforce organization-level SSO and allowed domains
  • Add API middleware to protect sensitive endpoints
  • Enable audit trails and alerts for security and compliance

Best practices

  • Define minimal roles and map IdP groups consistently to avoid privilege drift
  • Enforce SSO and allowed domains for corporate accounts to prevent orphaned users
  • Use middleware to centralize permission checks and reduce scattered authorization logic
  • Log all access attempts with role, user, action, and IP for auditability
  • Alert on suspicious patterns (failed deletes, repeated auth failures) and monitor audit pipeline health

Example use cases

  • Map Engineering and Platform-Admins IdP groups to developer and admin roles during SAML setup
  • Configure OAuth2 client for automated integrations and service accounts with 'service' role
  • Protect deletion endpoints with requirePermission('delete') middleware so only admins can remove resources
  • Create organization objects that enforce SSO and restrict signups to company domains
  • Stream audit entries to a SIEM and trigger alerts on failed privileged actions

FAQ

What roles should I start with?

Begin with admin, developer, viewer, and service. They cover full access, standard development, read-only use, and machine accounts respectively.

How do I handle users without IdP group mappings?

Assign a safe default role (viewer) or block access until an administrator maps their IdP group; enable auditing to track unmapped attempts.