Granola Enterprise RBAC
Overview
Configure enterprise role-based access control for Granola meeting notes.
Prerequisites
- •Granola Business or Enterprise plan
- •Organization admin access
- •SSO configured (recommended)
- •Security policy defined
Role Hierarchy
Built-in Roles
code
Organization Owner (Super Admin)
↓
Organization Admin
↓
Workspace Admin
↓
Team Lead
↓
Member
↓
Viewer
↓
Guest (External)
Role Definitions
Organization Owner
yaml
Role: Organization Owner Level: Super Admin Scope: Entire organization Permissions: billing: full organization_settings: full workspace_management: full user_management: full data_export: full audit_logs: read integrations: full sso_configuration: full Limits: max_per_org: 1-3 cannot_be_removed: by other admins
Organization Admin
yaml
Role: Organization Admin Level: High Scope: Entire organization Permissions: billing: read organization_settings: read_write workspace_management: full user_management: full data_export: full audit_logs: read integrations: full sso_configuration: read Limits: max_per_org: unlimited assigned_by: org_owner
Workspace Admin
yaml
Role: Workspace Admin Level: Medium-High Scope: Assigned workspace(s) Permissions: workspace_settings: full member_management: full templates: full integrations: workspace_only data_export: workspace_only sharing_controls: full Limits: scope: specific workspaces assigned_by: org_admin
Team Lead
yaml
Role: Team Lead Level: Medium Scope: Assigned team(s) Permissions: team_members: manage templates: create_edit notes: team_visibility sharing: within_org reports: team_only Limits: cannot: modify workspace settings cannot: manage other teams
Member
yaml
Role: Member Level: Standard Scope: Own notes + shared Permissions: notes: create_edit_own sharing: as_configured templates: use export: own_notes integrations: use_configured Limits: cannot: manage users cannot: modify settings
Viewer
yaml
Role: Viewer Level: Low Scope: Shared notes only Permissions: notes: read_shared sharing: none templates: none export: none Limits: read_only: true cannot: create notes
Guest
yaml
Role: Guest Level: External Scope: Specific shared content Permissions: notes: read_specific sharing: none time_limited: yes workspace_access: none Limits: requires: explicit invite expires: configurable
Permission Matrix
Note Permissions
| Action | Owner | Admin | Lead | Member | Viewer | Guest |
|---|---|---|---|---|---|---|
| Create | Yes | Yes | Yes | Yes | No | No |
| Edit Own | Yes | Yes | Yes | Yes | No | No |
| Edit Others | Yes | Yes | Team | No | No | No |
| Delete Own | Yes | Yes | Yes | Yes | No | No |
| Delete Others | Yes | Yes | No | No | No | No |
| View All | Yes | Yes | Team | Shared | Shared | Specific |
Sharing Permissions
| Action | Owner | Admin | Lead | Member | Viewer |
|---|---|---|---|---|---|
| Share Internal | Yes | Yes | Yes | Config | No |
| Share External | Yes | Yes | Config | No | No |
| Public Links | Yes | Config | No | No | No |
| Revoke Access | Yes | Yes | Team | Own | No |
Admin Permissions
| Action | Org Owner | Org Admin | WS Admin | Lead | Member |
|---|---|---|---|---|---|
| Manage Billing | Yes | View | No | No | No |
| SSO Config | Yes | View | No | No | No |
| Create Workspace | Yes | Yes | No | No | No |
| Delete Workspace | Yes | Yes | No | No | No |
| Manage Users | Yes | Yes | WS Only | Team | No |
| View Audit Logs | Yes | Yes | WS Only | No | No |
Configuration
Assign Roles
markdown
## Role Assignment Via Admin Panel: 1. Settings > Users 2. Find user 3. Click "Edit Role" 4. Select role 5. Choose workspace scope (if applicable) 6. Save changes Via SSO Group Mapping: 1. Settings > SSO > Group Mapping 2. Map SSO group to Granola role 3. Set default workspace 4. Enable auto-provisioning
Custom Roles (Enterprise)
yaml
# Custom Role Definition Role: Content Manager Base: Member Scope: Marketing Workspace Additional Permissions: templates: create_edit_delete shared_notes: edit_all external_sharing: enabled analytics: workspace_view Restrictions: cannot: delete_others_notes cannot: manage_users
Role Inheritance
markdown
## Inheritance Rules 1. Workspace role inherits org permissions 2. Higher role can access lower role data 3. Explicit deny overrides inheritance 4. Guest role has no inheritance Example: - User is Org Admin → auto Workspace Admin everywhere - User is Team Lead in Eng → Member elsewhere
SSO Integration
Group Mapping
yaml
# SAML/OIDC Group → Granola Role
SSO Provider: Okta
Group Mappings:
"Granola-Owners":
role: organization_owner
workspaces: all
"Granola-Admins":
role: organization_admin
workspaces: all
"Engineering-Team":
role: member
workspaces: [engineering]
"Engineering-Leads":
role: workspace_admin
workspaces: [engineering]
"Sales-Team":
role: member
workspaces: [sales]
"External-Partners":
role: guest
workspaces: [partner-collab]
JIT Provisioning
yaml
# Just-in-Time User Creation Settings: jit_provisioning: enabled default_role: member default_workspace: general require_email_domain: "@company.com" Process: 1. User signs in via SSO 2. Account created automatically 3. Groups evaluated 4. Role assigned based on groups 5. Access granted immediately
Access Policies
Sharing Policy
yaml
# Organization Sharing Policy Internal Sharing: default: enabled team_sharing: automatic cross_workspace: admin_approval External Sharing: enabled: true require_approval: workspace_admin link_expiration: 30_days password_protection: optional Public Links: enabled: false # Disabled for security
Data Access Policy
yaml
# Data Access Restrictions
By Workspace:
Corporate:
visibility: owners_only
download: disabled
external: prohibited
Engineering:
visibility: workspace
download: enabled
external: with_approval
Sales:
visibility: workspace
download: enabled
external: enabled
crm_sync: automatic
Audit & Compliance
Role Change Auditing
markdown
## Audit Events
Logged Actions:
- Role assigned
- Role removed
- Permission changed
- Workspace access granted
- Workspace access revoked
- Guest invited
- Guest expired
Log Format:
{
"timestamp": "2025-01-06T15:00:00Z",
"actor": "admin@company.com",
"action": "role_changed",
"target": "user@company.com",
"old_role": "member",
"new_role": "team_lead",
"workspace": "engineering"
}
Access Review
markdown
## Quarterly Access Review Checklist: - [ ] Export user role report - [ ] Review admin access - [ ] Check guest accounts - [ ] Verify workspace assignments - [ ] Remove inactive users - [ ] Update role mappings - [ ] Document changes
Best Practices
Principle of Least Privilege
markdown
## Access Guidelines 1. Start with Viewer role 2. Upgrade as needed 3. Use workspace-specific roles 4. Review access quarterly 5. Remove access promptly when role changes Anti-patterns: ✗ Everyone as Admin ✗ Permanent guest access ✗ Unused workspace admin rights ✗ Orphaned accounts
Role Lifecycle
markdown
## User Lifecycle Onboarding: 1. Create via SSO/JIT 2. Assign default role 3. Add to relevant workspaces 4. Provide training Role Change: 1. Request from manager 2. Approve by workspace admin 3. Update role 4. Verify access Offboarding: 1. Triggered by HR system 2. Disable account 3. Revoke all access 4. Transfer note ownership 5. Archive after 30 days
Resources
Next Steps
Proceed to granola-migration-deep-dive for migration from other tools.