windsurf-enterprise-rbacClaude Skill
Configure Windsurf enterprise SSO, role-based access control, and organization management.
1.9k Stars
261 Forks
2025/10/10
| name | windsurf-enterprise-rbac |
| description | Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management". |
| allowed-tools | Read, Write, Edit |
| version | 1.0.0 |
| license | MIT |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
| compatible-with | claude-code, codex, openclaw |
| tags | ["saas","windsurf","enterprise","sso","rbac","admin"] |
Windsurf Enterprise RBAC
Overview
Manage enterprise Windsurf deployment: SSO/SAML configuration, role-based seat management, organization-wide AI policies, and admin portal controls. Covers Teams and Enterprise plan features.
Prerequisites
- Windsurf Teams ($30/user/mo) or Enterprise (custom pricing) plan
- Organization admin access at windsurf.com/dashboard
- Identity provider for SSO (Enterprise only): Okta, Entra ID, Google Workspace
Instructions
Step 1: Configure SSO / SAML (Enterprise Only)
Navigate to Admin Dashboard > Security > SSO:
# SSO Configuration Steps sso_setup: 1_choose_idp: supported: ["Okta", "Microsoft Entra ID", "Google Workspace", "Any SAML 2.0 IdP"] 2_configure_saml: entity_id: "https://windsurf.com/saml/your-org-id" acs_url: "https://windsurf.com/saml/callback" # Get these from Admin Dashboard > SSO > SAML Configuration 3_idp_settings: # Configure in your IdP: sign_on_url: "https://windsurf.com/saml/login/your-org-id" audience_uri: "https://windsurf.com/saml/your-org-id" name_id_format: "emailAddress" attribute_statements: email: "user.email" firstName: "user.firstName" lastName: "user.lastName" 4_enforce: enforce_sso: true # Block password login after SSO is verified auto_provision: true # New IdP users get Windsurf seats automatically domain_restriction: ["yourcompany.com"] # Only allow company emails
Step 2: Configure Roles and Permissions
# Windsurf RBAC Model roles: owner: description: "Organization owner — full control" permissions: - Manage billing and subscription - Add/remove admins - Configure SSO - View all analytics - Manage all seats admin: description: "Team administrator" permissions: - Add/remove members - Assign seat tiers (Pro, Free) - View team analytics - Configure org-wide settings - Manage MCP server allowlist member: description: "Standard developer" permissions: - Use assigned AI features - Configure personal settings - Create workspace rules - Cannot view team analytics # Assign roles via Admin Dashboard > Members > Edit Role
Step 3: Organization-Wide AI Policies
# Admin Dashboard > Settings > AI Policies org_policies: # Control which AI models are available allowed_models: - "swe-1" - "swe-1-lite" - "claude-sonnet" # Disable models not approved by security team # Terminal command execution controls cascade_terminal: max_execution_level: "normal" # Options: turbo, normal, manual global_deny_list: - "rm -rf" - "sudo" - "curl | bash" - "DROP TABLE" - "format" # Data controls data_policies: telemetry: "off" # No telemetry for enterprise data_retention: "zero" # Zero-data retention code_context_sharing: "workspace_only" # AI sees only current workspace # Feature controls feature_flags: previews_enabled: true mcp_enabled: true workflows_enabled: true auto_deploy_enabled: false # Disable direct deployment from IDE
Step 4: Seat Management Workflow
# Seat lifecycle management seat_management: onboarding: 1. "Admin invites user via Admin Dashboard > Members > Invite" 2. "User receives email with SSO login link" 3. "SSO authenticates user with company IdP" 4. "User gets assigned tier (Pro/Free) based on role" 5. "User opens project — .windsurfrules provides context" offboarding: 1. "Disable user in IdP (SSO will auto-block)" 2. "Remove seat in Admin Dashboard > Members" 3. "Seat becomes available for reassignment" 4. "User's local memories/config remain on their machine" tier_changes: upgrade: "Admin Dashboard > Members > Select user > Change to Pro" downgrade: "Admin Dashboard > Members > Select user > Change to Free" note: "Downgraded users keep Supercomplete, lose Cascade Write mode"
Step 5: Audit and Compliance
# Admin Dashboard > Analytics > Audit audit_capabilities: available: - User login events (SSO audit trail) - Credit usage per user per day - Feature usage patterns - Seat assignment changes - Admin actions exportable: - CSV export of member usage - API access for SIEM integration (Enterprise) compliance_certifications: - SOC 2 Type II - FedRAMP High - HIPAA BAA (on request) - GDPR compliant
Step 6: Service Keys for API Access (Enterprise)
# For programmatic access to admin APIs service_keys: purpose: "CI/CD integration, usage reporting, automated provisioning" create: "Admin Dashboard > Settings > Service Keys > Create" scopes: - "admin:read" — read analytics and member data - "admin:write" — manage members and settings - "usage:read" — read usage metrics rotation: "Rotate every 90 days, revoke immediately on compromise"
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| SSO login fails | SAML certificate expired | Update certificate in IdP and Windsurf |
| User can't access Cascade | No Pro seat assigned | Assign Pro tier in Admin Dashboard |
| Admin can't see analytics | Wrong role | Upgrade to admin role in Dashboard |
| New user auto-provisioned to wrong tier | Default tier not set | Configure default seat tier in Settings |
| Service key rejected | Expired or wrong scope | Generate new key with correct scopes |
Examples
Quick Admin Dashboard Tasks
Add user: Admin Dashboard > Members > Invite > email@company.com
Remove user: Members > Select > Remove from organization
Change tier: Members > Select > Change Plan > Pro/Free
View usage: Analytics > Overview (or per-member view)
Team Structure Example
engineering_org: platform_team: seats: 8 tier: Pro admins: ["tech-lead@company.com"] frontend_team: seats: 6 tier: Pro admins: ["frontend-lead@company.com"] design_team: seats: 3 tier: Free # Mainly CSS, limited AI use contractors: seats: 4 tier: Free note: "Temporary, upgrade to Pro if AI use increases"
Resources
Next Steps
For migration strategies, see windsurf-migration-deep-dive.
Similar Claude Skills & Agent Workflows
safe-file-deletion
6.2k
Enforces explicit user permission before any file deletion.
healthcheck
267.6k
Host security hardening and risk-tolerance configuration for OpenClaw deployments.
1password
267.6k
Set up and use 1Password CLI (op).
feishu-perm
267.6k
Feishu permission management for documents and files.
idapython
5.1k
IDA Pro Python scripting for reverse engineering.
webhook-signature-validator
1.0k
Validate webhook signature validator operations.