Skip to main content Configure PostHog enterprise SSO, role-based access control, and organization management.
Use when implementing SSO integration, configuring role-based permissions,
or setting up organization-level controls for PostHog.
Trigger with phrases like "posthog SSO", "posthog RBAC",
"posthog enterprise", "posthog roles", "posthog permissions", "posthog SAML".
npx skills add jeremylongshore/claude-code-plugins-plus-skills --skill posthog-enterprise-rbac ai automation claude-code devops mcp ai-agents
PostHog Enterprise RBAC
Overview
PostHog access control uses a three-level hierarchy: Organization > Project > Resource. Organizations contain multiple projects (e.g., production, staging), and each project has its own data, feature flags, and dashboards. Members are assigned roles at the organization level and can be restricted to specific projects.
Prerequisites
PostHog Cloud or self-hosted with enterprise license
Organization admin role
Multiple projects configured (one per environment)
Access Control Model
Level Scope Controls Organization All projects Member management, billing, SSO enforcement Project Single project Feature flags, insights, dashboards, session recordings API Key Scoped operations Personal API key with specific scopes
Member Roles:
Role Level Permissions Owner
Full admin, billing, delete org
Admin 8 Manage members, all project settings
Member 1 View/create insights, flags, recordings
Instructions
Step 1: Set Up Project-Level Access set -euo pipefail
# Create a production project with access control
curl -X POST "https://app.posthog.com/api/organizations/$ORG_ID/projects/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "Production", "access_control": true}'
# Add a member to a specific project (level 1 = Member, 8 = Admin)
curl -X POST "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{"user_id": "USER_UUID", "level": 1}'
# List current project members
curl "https://app.posthog.com/api/projects/$PROD_PROJECT_ID/members/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '.results[] | {email: .user.email, level, joined_at}'
Step 2: Create Scoped API Keys set -euo pipefail
# Read-only key for BI dashboard integration
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "bi-dashboard-readonly",
"scopes": ["insight:read", "dashboard:read", "query:read"]
}'
# Feature flag service key (read + write flags only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "flag-service",
"scopes": ["feature_flag:read", "feature_flag:write"]
}'
# Event export key (read events only)
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"label": "data-export-readonly",
"scopes": ["event:read", "query:read"]
}'
# List all personal API keys
curl "https://app.posthog.com/api/personal_api_keys/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '.[] | {id, label, scopes, created_at}'
Step 3: Configure SSO (Enterprise) PostHog enterprise supports SAML 2.0 SSO. Configuration is in Organization Settings > Authentication:
Enable SAML : Add your IdP metadata URL (e.g., Okta, Azure AD, Google Workspace)Enforce SSO : Toggle "Enforce SSO" to require all members to authenticate via IdPAuto-provisioning : New IdP users are automatically created in PostHog with Member roleGroup mapping : Map IdP groups to PostHog organization roles set -euo pipefail
# Check SSO configuration status
curl "https://app.posthog.com/api/organizations/$ORG_ID/" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '{
enforce_sso: .enforce_sso,
saml_configured: (.saml_enforcement != null),
member_count: .membership_count
}'
Step 4: Audit Access and Changes set -euo pipefail
# View recent activity log for permission changes
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=Organization" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '[.results[] | select(.activity | contains("member") or contains("role") or contains("api_key")) | {
user: .user.email,
activity,
detail: .detail,
created_at
}] | .[:10]'
# View feature flag changes (who changed what)
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/?scope=FeatureFlag" \
-H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
jq '[.results[:10][] | {
user: .user.email,
activity,
item_id: .item_id,
created_at
}]'
Step 5: Access Matrix # Recommended access matrix
access_matrix:
engineering:
staging_project:
role: admin # Full control in staging
can_create_flags: true
can_delete_flags: true
production_project:
role: member # Read + create, no delete in prod
can_create_flags: true
can_delete_flags: false # Require admin approval for flag deletion
product:
staging_project:
role: member
can_view_recordings: true
can_create_insights: true
production_project:
role: member
can_view_recordings: true
can_create_insights: true
bi_service_account:
production_project:
api_key_scopes: [insight:read, dashboard:read, query:read]
# No write access
flag_service_account:
production_project:
api_key_scopes: [feature_flag:read, feature_flag:write]
# Only flag operations
Error Handling Issue Cause Solution 403 on feature flag endpoint Key missing required scope Create key with feature_flag:read scope Member sees prod data Project access not restricted Remove from prod project, add to staging only SSO bypass possible SSO not enforced Enable "Enforce SSO" in org settings Can't create scoped key Not org admin Only admins can create API keys Activity log gaps Self-hosted log rotation Increase log retention in PostHog config
Output
Project-level member access configured
Scoped API keys for services (BI, flag service, export)
SSO/SAML enforcement enabled
Activity audit log queries
Access matrix documented
Resources
Next Steps For migration strategies, see posthog-migration-deep-dive.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
