posthog-enterprise-rbacClaude Skill
Configure PostHog enterprise SSO, role-based access control, and organization management.
1.4k Stars
173 Forks
2025/10/10
| name | posthog-enterprise-rbac |
| description | Configure PostHog enterprise SSO, role-based access control, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls for PostHog. Trigger with phrases like "posthog SSO", "posthog RBAC", "posthog enterprise", "posthog roles", "posthog permissions", "posthog SAML". |
| allowed-tools | Read, Write, Edit |
| version | 1.0.0 |
| license | MIT |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
PostHog Enterprise RBAC
Overview
Configure enterprise-grade access control for PostHog integrations.
Prerequisites
- PostHog Enterprise tier subscription
- Identity Provider (IdP) with SAML/OIDC support
- Understanding of role-based access patterns
- Audit logging infrastructure
Role Definitions
| Role | Permissions | Use Case |
|---|---|---|
| Admin | Full access | Platform administrators |
| Developer | Read/write, no delete | Active development |
| Viewer | Read-only | Stakeholders, auditors |
| Service | API access only | Automated systems |
Role Implementation
enum PostHogRole { Admin = 'admin', Developer = 'developer', Viewer = 'viewer', Service = 'service', } interface PostHogPermissions { read: boolean; write: boolean; delete: boolean; admin: boolean; } const ROLE_PERMISSIONS: Record<PostHogRole, PostHogPermissions> = { admin: { read: true, write: true, delete: true, admin: true }, developer: { read: true, write: true, delete: false, admin: false }, viewer: { read: true, write: false, delete: false, admin: false }, service: { read: true, write: true, delete: false, admin: false }, }; function checkPermission( role: PostHogRole, action: keyof PostHogPermissions ): boolean { return ROLE_PERMISSIONS[role][action]; }
SSO Integration
SAML Configuration
// PostHog SAML setup const samlConfig = { entryPoint: 'https://idp.company.com/saml/sso', issuer: 'https://posthog.com/saml/metadata', cert: process.env.SAML_CERT, callbackUrl: 'https://app.yourcompany.com/auth/posthog/callback', }; // Map IdP groups to PostHog roles const groupRoleMapping: Record<string, PostHogRole> = { 'Engineering': PostHogRole.Developer, 'Platform-Admins': PostHogRole.Admin, 'Data-Team': PostHogRole.Viewer, };
OAuth2/OIDC Integration
import { OAuth2Client } from '@posthog/sdk'; const oauthClient = new OAuth2Client({ clientId: process.env.POSTHOG_OAUTH_CLIENT_ID!, clientSecret: process.env.POSTHOG_OAUTH_CLIENT_SECRET!, redirectUri: 'https://app.yourcompany.com/auth/posthog/callback', scopes: ['read', 'write'], });
Organization Management
interface PostHogOrganization { id: string; name: string; ssoEnabled: boolean; enforceSso: boolean; allowedDomains: string[]; defaultRole: PostHogRole; } async function createOrganization( config: PostHogOrganization ): Promise<void> { await posthogClient.organizations.create({ ...config, settings: { sso: { enabled: config.ssoEnabled, enforced: config.enforceSso, domains: config.allowedDomains, }, }, }); }
Access Control Middleware
function requirePostHogPermission( requiredPermission: keyof PostHogPermissions ) { return async (req: Request, res: Response, next: NextFunction) => { const user = req.user as { posthogRole: PostHogRole }; if (!checkPermission(user.posthogRole, requiredPermission)) { return res.status(403).json({ error: 'Forbidden', message: `Missing permission: ${requiredPermission}`, }); } next(); }; } // Usage app.delete('/posthog/resource/:id', requirePostHogPermission('delete'), deleteResourceHandler );
Audit Trail
interface PostHogAuditEntry { timestamp: Date; userId: string; role: PostHogRole; action: string; resource: string; success: boolean; ipAddress: string; } async function logPostHogAccess(entry: PostHogAuditEntry): Promise<void> { await auditDb.insert(entry); // Alert on suspicious activity if (entry.action === 'delete' && !entry.success) { await alertOnSuspiciousActivity(entry); } }
Instructions
Step 1: Define Roles
Map organizational roles to PostHog permissions.
Step 2: Configure SSO
Set up SAML or OIDC integration with your IdP.
Step 3: Implement Middleware
Add permission checks to API endpoints.
Step 4: Enable Audit Logging
Track all access for compliance.
Output
- Role definitions implemented
- SSO integration configured
- Permission middleware active
- Audit trail enabled
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| SSO login fails | Wrong callback URL | Verify IdP config |
| Permission denied | Missing role mapping | Update group mappings |
| Token expired | Short TTL | Refresh token logic |
| Audit gaps | Async logging failed | Check log pipeline |
Examples
Quick Permission Check
if (!checkPermission(user.role, 'write')) { throw new ForbiddenError('Write permission required'); }
Resources
Next Steps
For major migrations, see posthog-migration-deep-dive.
Similar Claude Skills & Agent Workflows
google-analytics
17.0k
Analyze Google Analytics data, review website performance metrics, identify traffic patterns, and suggest data-driven improvements.
docetl
3.4k
Build and run LLM-powered data processing pipelines with DocETL.
pdf-extractor
8.0k
Extract text, tables, and form data from PDF documents for analysis and processing.
schema-exploration
8.3k
For discovering and understanding database structure, tables, columns, and relationships
query-writing
8.3k
For writing and executing SQL queries - from simple single-table queries to complex multi-table JOINs and aggregations
whodb
4.5k
Database operations including querying, schema exploration, and data analysis.