Enterprise role-based access control for Granola.
Use when configuring user roles, setting permissions,
or implementing access control policies.
Trigger with phrases like "granola roles", "granola permissions",
"granola access control", "granola RBAC", "granola admin".
Configure role-based access control for Granola with SSO group mapping, per-workspace permissions, sharing policies, and audit logging. Granola's role hierarchy controls who can create, share, and manage meeting notes across the organization.
Prerequisites
Granola Enterprise plan ($35+/user/month)
Organization admin access
SSO configured (Okta, Azure AD, or Google Workspace)
SCIM provisioning enabled (recommended for automated role assignment)
Instructions
Step 1 — Understand the Role Hierarchy
Organization Owner (1-2 people)
│ Full control: billing, SSO, org settings, all workspaces
│
├── Workspace Admin (per department)
│ Manage workspace: members, integrations, settings
│ All member capabilities
│
├── Team Lead
│ View team analytics, manage folder structure
│ All member capabilities
│
├── Member (default role)
│ Create notes, share internally, use integrations
│
├── Viewer
│ Read-only access to shared notes
│ Cannot create or record meetings
│
└── Guest (external)
Single workspace access, read-only
Time-limited (30-day default expiration)
Step 2 — Permission Matrix
Permission
Owner
WS Admin
Lead
Member
Viewer
Guest
Record meetings
Yes
Yes
Yes
Yes
No
No
Create notes
Yes
Yes
Yes
Yes
No
No
Share internally
Yes
Yes
Yes
Yes
No
No
Share externally
Yes
Yes
Policy
Policy
No
No
View shared notes
Yes
Yes
Yes
Yes
Yes
Yes
Manage integrations
Yes
Yes
No
No
No
No
Manage members
Yes
Yes
No
No
No
No
View analytics
Yes
Yes
Yes
No
No
No
Configure retention
Yes
Yes
No
No
No
No
Manage billing
Yes
No
No
No
No
No
Configure SSO/SCIM
Yes
No
No
No
No
No
Step 3 — Map SSO Groups to Roles
Configure in Organization Settings > Security > SSO > Group Mapping:
SSO Group (IdP)
Granola Workspace
Granola Role
engineering-all
Engineering
Member
engineering-leads
Engineering
Admin
sales-team
Sales
Member
sales-managers
Sales
Admin
product-team
Product
Member
hr-team
HR
Member
hr-directors
HR
Admin
executives
Executive
Admin
contractors-eng
Engineering
Guest
Multi-workspace membership:
A user can belong to multiple workspaces with different roles:
Sarah Chen: Engineering (Member) + Product (Admin) + Executive (Viewer)
Mike Johnson: Sales (Admin) + Engineering (Guest for cross-team visibility)
Step 4 — Configure Sharing Policies
Set per-workspace sharing rules to control data flow:
Standard workspaces (Engineering, Product, Sales):
Workspace Settings > Sharing:
Internal sharing: Automatic within workspace members
Cross-workspace: Allowed with admin approval
External sharing: Allowed with link expiration (30 days)
Public links: Disabled
Confidential workspaces (HR, Executive):
Workspace Settings > Sharing:
Internal sharing: Manual only (no auto-share)
Cross-workspace: Disabled
External sharing: Disabled
Public links: Disabled
Note visibility: Creator + explicitly added viewers only
Step 5 — Implement Least Privilege
Follow the principle of least privilege for role assignments:
Default new users to Member — sufficient for 90% of use cases
Promote to Admin only for workspace managers — IT leads, department heads
Use Viewer for stakeholders who need to read notes but not create them
## Quarterly Access Review Checklist
- [ ] Pull current user list: Settings > Team
- [ ] Verify each user's role matches current job function
- [ ] Deactivate users who have left the organization
- [ ] Downgrade over-privileged users (Admin → Member where appropriate)
- [ ] Remove expired Guest accounts
- [ ] Verify SSO group mappings match current org chart
- [ ] Review sharing policy compliance per workspace
- [ ] Check audit logs for unusual access patterns