Configure Granola across multiple workspaces and teams with SSO/SCIM provisioning. Use when setting up department-level workspaces, configuring user provisioning, or managing enterprise-scale Granola deployments. Trigger: "granola workspaces", "granola multi-team", "granola SSO", "granola SCIM", "granola organization setup".
Configure Granola for multi-workspace enterprise deployments with SSO-based user provisioning, per-workspace integration configuration, and compliance controls. Each workspace operates as an isolated unit with its own folders, integrations, sharing rules, and retention policies.
Map your organization to Granola workspaces:
| Workspace | Owner | Members | Purpose |
|---|---|---|---|
| Engineering | VP Engineering | All engineers | Sprint planning, architecture, standups |
| Sales | VP Sales | Sales team + SDRs | Discovery calls, demos, pipeline reviews |
| Product | Head of Product | PMs + designers | Customer feedback, design reviews, PRDs |
| Customer Success | CS Lead | CS managers | Onboarding calls, QBRs, escalations |
| HR | HR Director | HR team | Interviews, 1-on-1s, performance reviews |
| Executive | CEO | C-suite | Board meetings, strategy, M&A |
SSO Setup (Okta example):
https://app.granola.ai/sso/{org-slug}https://app.granola.ai/sso/callbackSCIM Provisioning:
https://api.granola.ai/scim/v2/{org-id}| IdP Group | Granola Workspace | Role |
|---|---|---|
granola-engineering | Engineering | Member |
granola-engineering-leads | Engineering | Admin |
granola-sales | Sales | Member |
granola-hr | HR | Member |
granola-executives | Executive | Admin |
Just-in-Time (JIT) Provisioning: Enable JIT so users are auto-provisioned on first SSO login without manual invitation. Map their IdP groups to workspace membership.
Each workspace can have independent integration configurations:
| Workspace | Slack Channel | CRM | Notion Database | Task Tool |
|---|---|---|---|---|
| Engineering | #eng-meetings | — | Engineering Wiki | Linear |
| Sales | #sales-notes | HubSpot | Sales Playbook | — |
| Product | #product-feedback | — | Product Insights | Linear |
| Customer Success | #cs-updates | Attio | CS Knowledge Base | — |
| HR | (none) | — | (none) | — |
| Executive | (none) | — | Private Board DB | — |
Configure in each workspace: Settings > Integrations. Each workspace's integrations are independent — connecting Slack in Engineering does not affect Sales.
| Workspace | Data Retention (Notes) | Data Retention (Transcripts) | External Sharing | Audit Logging |
|---|---|---|---|---|
| Engineering | 2 years | 90 days | Allowed (admin approval) | On |
| Sales | 1 year | 90 days | Allowed (for client follow-up) | On |
| Product | 2 years | 90 days | Allowed (admin approval) | On |
| HR | 90 days | 30 days | Prohibited | On |
| Executive | Custom (legal hold) | 30 days | Prohibited | On |
Sensitive workspace hardening (HR, Executive):
Workspace Settings > Security:
External sharing: Disabled
Public links: Disabled
Link expiration: 7 days (if any sharing enabled)
MFA required: Yes (beyond SSO)
Session timeout: 4 hours
AI training opt-out: Enforced
IP allowlist: Enabled (office IPs only)
| Role | Create Notes | Share Internally | Share Externally | Manage Members | Manage Settings |
|---|---|---|---|---|---|
| Org Owner | Yes | Yes | Yes | Yes (all workspaces) | Yes (org-level) |
| Workspace Admin | Yes | Yes | Yes (if policy allows) | Yes (own workspace) | Yes (workspace) |
| Team Lead | Yes | Yes | Yes (if policy allows) | View only | No |
| Member | Yes | Yes | No (unless admin approves) | No | No |
| Viewer | No | Read-only | No | No | No |
| Guest | No | Single workspace read | No | No | No |
Validation checklist:
Ongoing monitoring:
| Error | Cause | Fix |
|---|---|---|
| User lands in wrong workspace | SSO group mapping incorrect | Fix IdP group → workspace mapping |
| SCIM sync fails | Token expired or endpoint wrong | Regenerate SCIM token, verify endpoint URL |
| Cross-workspace notes invisible | User not added to target workspace | Add user to workspace or grant Viewer role |
| Integration not syncing in workspace | Connected to different workspace | Reconnect integration within the correct workspace context |
| JIT provisioning creates duplicate users | Multiple IdP groups | Consolidate groups, ensure one user maps to one account |
Proceed to granola-observability for meeting analytics and monitoring.