Skill ファイル

Overview

Name: Overview
Author: jeremylongshore

Configure Documenso enterprise role-based access control and team management. Use when implementing team permissions, configuring organizational roles, or setting up enterprise access controls. Trigger with phrases like "documenso RBAC", "documenso teams", "documenso permissions", "documenso enterprise", "documenso roles".

jeremylongshore1,965 スター2026/04/03

職業
カテゴリ: システム管理

スキル内容

Overview

Configure team-based access control and enterprise features in Documenso. The Team plan enables multi-user collaboration with shared documents. Enterprise adds SSO (OIDC), audit logging, and organization-level management.

Prerequisites

Documenso Team or Enterprise plan
Understanding of RBAC concepts
For SSO: OIDC-compatible identity provider (Okta, Azure AD, Google Workspace, Auth0)

Documenso Team Model

Organization
├── Team A
│   ├── Owner (full control)
│   ├── Admin (manage members, settings)
│   └── Member (create, view, sign team documents)
├── Team B
│   └── ...
└── Personal Accounts (separate from teams)

Key concepts:

Teams are separate from personal accounts -- team documents are owned by the team
Team API keys access all team documents; personal keys only access personal documents

関連 Skill

Overview | Skills Pool

import { Documenso } from "@documenso/sdk-typescript";

// Personal key: only YOUR documents
const personalClient = new Documenso({
  apiKey: process.env.DOCUMENSO_PERSONAL_KEY!,
});

// Team key: all documents in the team
const teamClient = new Documenso({
  apiKey: process.env.DOCUMENSO_TEAM_KEY!,
});

// Common mistake: using personal key for team operations
// Results in 403 Forbidden on team resources

// src/auth/documenso-rbac.ts
type Role = "viewer" | "editor" | "admin" | "owner";

interface TeamMember {
  userId: string;
  teamId: string;
  role: Role;
}

const PERMISSIONS: Record<Role, string[]> = {
  viewer: ["documents:read"],
  editor: ["documents:read", "documents:create", "documents:send"],
  admin: ["documents:read", "documents:create", "documents:send", "documents:delete", "members:manage"],
  owner: ["documents:read", "documents:create", "documents:send", "documents:delete", "members:manage", "team:settings", "team:billing"],
};

function hasPermission(member: TeamMember, permission: string): boolean {
  return PERMISSIONS[member.role]?.includes(permission) ?? false;
}

// Middleware
function requirePermission(permission: string) {
  return (req: Request, res: Response, next: NextFunction) => {
    const member = req.teamMember; // Set by auth middleware
    if (!hasPermission(member, permission)) {
      return res.status(403).json({
        error: "Forbidden",
        required: permission,
        userRole: member.role,
      });
    }
    next();
  };
}

// Usage
app.delete("/api/documents/:id",
  requirePermission("documents:delete"),
  async (req, res) => {
    await teamClient.documents.deleteV0(parseInt(req.params.id));
    res.json({ deleted: true });
  }
);

SSO Setup (Enterprise only):
1. Navigate to Organization Settings > SSO
2. Select your OIDC provider
3. Enter:
   - Client ID (from your IdP)
   - Client Secret (from your IdP)
   - Issuer URL (e.g., https://login.microsoftonline.com/{tenant}/v2.0)
4. Configure redirect URI in your IdP:
   https://sign.yourcompany.com/api/auth/callback/oidc
5. Test with a non-admin user first

Supported providers:
- Google Workspace
- Microsoft Entra ID (Azure AD)
- Okta
- Auth0
- Any OIDC-compliant provider

Once enabled, team members sign in via:

Overview

Overview

Prerequisites

Documenso Team Model

Overview

Overview

Prerequisites

Documenso Team Model

Instructions

Step 1: Team API Key Scoping

Step 2: Application-Level RBAC

Step 3: Enterprise SSO Configuration

Mcporter

Sonoscli

Openhue

Healthcheck

Things Mac

Eightctl