Back to Details

granola-enterprise-rbac

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Granola Enterprise RBAC

Granola 企业级RBAC

Overview

概述

Configure enterprise role-based access control for Granola meeting notes.
为Granola会议笔记配置企业级基于角色的访问控制。

Prerequisites

前提条件

  • Granola Business or Enterprise plan
  • Organization admin access
  • SSO configured (recommended)
  • Security policy defined
  • Granola 商业版或企业版套餐
  • 组织管理员权限
  • 已配置SSO(推荐)
  • 已定义安全策略

Role Hierarchy

角色层级

Built-in Roles

内置角色

Organization Owner (Super Admin)
Organization Admin
Workspace Admin
Team Lead
Member
Viewer
Guest (External)
Organization Owner (Super Admin)
Organization Admin
Workspace Admin
Team Lead
Member
Viewer
Guest (External)

Role Definitions

角色定义

Organization Owner

组织所有者

yaml
Role: Organization Owner
Level: Super Admin
Scope: Entire organization

Permissions:
  billing: full
  organization_settings: full
  workspace_management: full
  user_management: full
  data_export: full
  audit_logs: read
  integrations: full
  sso_configuration: full

Limits:
  max_per_org: 1-3
  cannot_be_removed: by other admins
yaml
Role: Organization Owner
Level: Super Admin
Scope: Entire organization

Permissions:
  billing: full
  organization_settings: full
  workspace_management: full
  user_management: full
  data_export: full
  audit_logs: read
  integrations: full
  sso_configuration: full

Limits:
  max_per_org: 1-3
  cannot_be_removed: by other admins

Organization Admin

组织管理员

yaml
Role: Organization Admin
Level: High
Scope: Entire organization

Permissions:
  billing: read
  organization_settings: read_write
  workspace_management: full
  user_management: full
  data_export: full
  audit_logs: read
  integrations: full
  sso_configuration: read

Limits:
  max_per_org: unlimited
  assigned_by: org_owner
yaml
Role: Organization Admin
Level: High
Scope: Entire organization

Permissions:
  billing: read
  organization_settings: read_write
  workspace_management: full
  user_management: full
  data_export: full
  audit_logs: read
  integrations: full
  sso_configuration: read

Limits:
  max_per_org: unlimited
  assigned_by: org_owner

Workspace Admin

工作空间管理员

yaml
Role: Workspace Admin
Level: Medium-High
Scope: Assigned workspace(s)

Permissions:
  workspace_settings: full
  member_management: full
  templates: full
  integrations: workspace_only
  data_export: workspace_only
  sharing_controls: full

Limits:
  scope: specific workspaces
  assigned_by: org_admin
yaml
Role: Workspace Admin
Level: Medium-High
Scope: Assigned workspace(s)

Permissions:
  workspace_settings: full
  member_management: full
  templates: full
  integrations: workspace_only
  data_export: workspace_only
  sharing_controls: full

Limits:
  scope: specific workspaces
  assigned_by: org_admin

Team Lead

团队负责人

yaml
Role: Team Lead
Level: Medium
Scope: Assigned team(s)

Permissions:
  team_members: manage
  templates: create_edit
  notes: team_visibility
  sharing: within_org
  reports: team_only

Limits:
  cannot: modify workspace settings
  cannot: manage other teams
yaml
Role: Team Lead
Level: Medium
Scope: Assigned team(s)

Permissions:
  team_members: manage
  templates: create_edit
  notes: team_visibility
  sharing: within_org
  reports: team_only

Limits:
  cannot: modify workspace settings
  cannot: manage other teams

Member

成员

yaml
Role: Member
Level: Standard
Scope: Own notes + shared

Permissions:
  notes: create_edit_own
  sharing: as_configured
  templates: use
  export: own_notes
  integrations: use_configured

Limits:
  cannot: manage users
  cannot: modify settings
yaml
Role: Member
Level: Standard
Scope: Own notes + shared

Permissions:
  notes: create_edit_own
  sharing: as_configured
  templates: use
  export: own_notes
  integrations: use_configured

Limits:
  cannot: manage users
  cannot: modify settings

Viewer

查看者

yaml
Role: Viewer
Level: Low
Scope: Shared notes only

Permissions:
  notes: read_shared
  sharing: none
  templates: none
  export: none

Limits:
  read_only: true
  cannot: create notes
yaml
Role: Viewer
Level: Low
Scope: Shared notes only

Permissions:
  notes: read_shared
  sharing: none
  templates: none
  export: none

Limits:
  read_only: true
  cannot: create notes

Guest

访客(外部)

yaml
Role: Guest
Level: External
Scope: Specific shared content

Permissions:
  notes: read_specific
  sharing: none
  time_limited: yes
  workspace_access: none

Limits:
  requires: explicit invite
  expires: configurable
yaml
Role: Guest
Level: External
Scope: Specific shared content

Permissions:
  notes: read_specific
  sharing: none
  time_limited: yes
  workspace_access: none

Limits:
  requires: explicit invite
  expires: configurable

Permission Matrix

权限矩阵

Note Permissions

笔记权限

ActionOwnerAdminLeadMemberViewerGuest
CreateYesYesYesYesNoNo
Edit OwnYesYesYesYesNoNo
Edit OthersYesYesTeamNoNoNo
Delete OwnYesYesYesYesNoNo
Delete OthersYesYesNoNoNoNo
View AllYesYesTeamSharedSharedSpecific
操作组织所有者组织管理员团队负责人成员查看者访客
创建
编辑自己的笔记
编辑他人的笔记团队内
删除自己的笔记
删除他人的笔记
查看全部团队内共享内容共享内容指定内容

Sharing Permissions

共享权限

ActionOwnerAdminLeadMemberViewer
Share InternalYesYesYesConfigNo
Share ExternalYesYesConfigNoNo
Public LinksYesConfigNoNoNo
Revoke AccessYesYesTeamOwnNo
操作组织所有者组织管理员团队负责人成员查看者
内部共享按配置
外部共享按配置
公开链接按配置
收回权限团队内自己的共享

Admin Permissions

管理员权限

ActionOrg OwnerOrg AdminWS AdminLeadMember
Manage BillingYesViewNoNoNo
SSO ConfigYesViewNoNoNo
Create WorkspaceYesYesNoNoNo
Delete WorkspaceYesYesNoNoNo
Manage UsersYesYesWS OnlyTeamNo
View Audit LogsYesYesWS OnlyNoNo
操作组织所有者组织管理员工作空间管理员团队负责人成员
管理账单查看
SSO配置查看
创建工作空间
删除工作空间
管理用户仅工作空间内团队内
查看审计日志仅工作空间内

Configuration

配置

Assign Roles

分配角色

markdown
undefined
markdown
undefined

Role Assignment

角色分配

Via Admin Panel:
  1. Settings > Users
  2. Find user
  3. Click "Edit Role"
  4. Select role
  5. Choose workspace scope (if applicable)
  6. Save changes
Via SSO Group Mapping:
  1. Settings > SSO > Group Mapping
  2. Map SSO group to Granola role
  3. Set default workspace
  4. Enable auto-provisioning
undefined
通过管理面板:
  1. 设置 > 用户
  2. 找到目标用户
  3. 点击"编辑角色"
  4. 选择角色
  5. 选择工作空间范围(如适用)
  6. 保存更改
通过SSO组映射:
  1. 设置 > SSO > 组映射
  2. 将SSO组映射到Granola角色
  3. 设置默认工作空间
  4. 启用自动配置
undefined

Custom Roles (Enterprise)

自定义角色(企业版)

yaml
undefined
yaml
undefined

Custom Role Definition

Custom Role Definition

Role: Content Manager Base: Member Scope: Marketing Workspace
Additional Permissions: templates: create_edit_delete shared_notes: edit_all external_sharing: enabled analytics: workspace_view
Restrictions: cannot: delete_others_notes cannot: manage_users
undefined
Role: Content Manager Base: Member Scope: Marketing Workspace
Additional Permissions: templates: create_edit_delete shared_notes: edit_all external_sharing: enabled analytics: workspace_view
Restrictions: cannot: delete_others_notes cannot: manage_users
undefined

Role Inheritance

角色继承

markdown
undefined
markdown
undefined

Inheritance Rules

继承规则

  1. Workspace role inherits org permissions
  2. Higher role can access lower role data
  3. Explicit deny overrides inheritance
  4. Guest role has no inheritance
Example:
  • User is Org Admin → auto Workspace Admin everywhere
  • User is Team Lead in Eng → Member elsewhere
undefined
  1. 工作空间角色继承组织权限
  2. 高权限角色可访问低权限角色的数据
  3. 显式拒绝优先级高于继承
  4. 访客角色无继承权限
示例:
  • 用户为组织管理员 → 自动获得所有工作空间的管理员权限
  • 用户为工程团队的团队负责人 → 在其他区域为普通成员
undefined

SSO Integration

SSO集成

Group Mapping

组映射

yaml
undefined
yaml
undefined

SAML/OIDC Group → Granola Role

SAML/OIDC Group → Granola Role

SSO Provider: Okta
Group Mappings: "Granola-Owners": role: organization_owner workspaces: all
"Granola-Admins": role: organization_admin workspaces: all
"Engineering-Team": role: member workspaces: [engineering]
"Engineering-Leads": role: workspace_admin workspaces: [engineering]
"Sales-Team": role: member workspaces: [sales]
"External-Partners": role: guest workspaces: [partner-collab]
undefined
SSO Provider: Okta
Group Mappings: "Granola-Owners": role: organization_owner workspaces: all
"Granola-Admins": role: organization_admin workspaces: all
"Engineering-Team": role: member workspaces: [engineering]
"Engineering-Leads": role: workspace_admin workspaces: [engineering]
"Sales-Team": role: member workspaces: [sales]
"External-Partners": role: guest workspaces: [partner-collab]
undefined

JIT Provisioning

即时配置(JIT)

yaml
undefined
yaml
undefined

Just-in-Time User Creation

Just-in-Time User Creation

Settings: jit_provisioning: enabled default_role: member default_workspace: general require_email_domain: "@company.com"
Process:
  1. User signs in via SSO
  2. Account created automatically
  3. Groups evaluated
  4. Role assigned based on groups
  5. Access granted immediately
undefined
Settings: jit_provisioning: enabled default_role: member default_workspace: general require_email_domain: "@company.com"
Process:
  1. User signs in via SSO
  2. Account created automatically
  3. Groups evaluated
  4. Role assigned based on groups
  5. Access granted immediately
undefined

Access Policies

访问策略

Sharing Policy

共享策略

yaml
undefined
yaml
undefined

Organization Sharing Policy

Organization Sharing Policy

Internal Sharing: default: enabled team_sharing: automatic cross_workspace: admin_approval
External Sharing: enabled: true require_approval: workspace_admin link_expiration: 30_days password_protection: optional
Public Links: enabled: false # Disabled for security
undefined
Internal Sharing: default: enabled team_sharing: automatic cross_workspace: admin_approval
External Sharing: enabled: true require_approval: workspace_admin link_expiration: 30_days password_protection: optional
Public Links: enabled: false # Disabled for security
undefined

Data Access Policy

数据访问策略

yaml
undefined
yaml
undefined

Data Access Restrictions

Data Access Restrictions

By Workspace: Corporate: visibility: owners_only download: disabled external: prohibited
Engineering: visibility: workspace download: enabled external: with_approval
Sales: visibility: workspace download: enabled external: enabled crm_sync: automatic
undefined
By Workspace: Corporate: visibility: owners_only download: disabled external: prohibited
Engineering: visibility: workspace download: enabled external: with_approval
Sales: visibility: workspace download: enabled external: enabled crm_sync: automatic
undefined

Audit & Compliance

审计与合规

Role Change Auditing

角色变更审计

markdown
undefined
markdown
undefined

Audit Events

审计事件

Logged Actions:
  • Role assigned
  • Role removed
  • Permission changed
  • Workspace access granted
  • Workspace access revoked
  • Guest invited
  • Guest expired
Log Format: { "timestamp": "2025-01-06T15:00:00Z", "actor": "admin@company.com", "action": "role_changed", "target": "user@company.com", "old_role": "member", "new_role": "team_lead", "workspace": "engineering" }
undefined
记录的操作:
  • 角色分配
  • 角色移除
  • 权限变更
  • 工作空间权限授予
  • 工作空间权限收回
  • 访客邀请
  • 访客权限过期
日志格式: { "timestamp": "2025-01-06T15:00:00Z", "actor": "admin@company.com", "action": "role_changed", "target": "user@company.com", "old_role": "member", "new_role": "team_lead", "workspace": "engineering" }
undefined

Access Review

权限审核

markdown
undefined
markdown
undefined

Quarterly Access Review

季度权限审核

Checklist:
  • Export user role report
  • Review admin access
  • Check guest accounts
  • Verify workspace assignments
  • Remove inactive users
  • Update role mappings
  • Document changes
undefined
检查清单:
  • 导出用户角色报告
  • 审核管理员权限
  • 检查访客账户
  • 验证工作空间分配
  • 移除不活跃用户
  • 更新角色映射
  • 记录变更
undefined

Best Practices

最佳实践

Principle of Least Privilege

最小权限原则

markdown
undefined
markdown
undefined

Access Guidelines

权限指南

  1. Start with Viewer role
  2. Upgrade as needed
  3. Use workspace-specific roles
  4. Review access quarterly
  5. Remove access promptly when role changes
Anti-patterns: ✗ Everyone as Admin ✗ Permanent guest access ✗ Unused workspace admin rights ✗ Orphaned accounts
undefined
  1. 从查看者角色开始
  2. 根据需要升级权限
  3. 使用工作空间专属角色
  4. 每季度审核权限
  5. 角色变更时立即收回旧权限
反模式: ✗ 全员设为管理员 ✗ 永久访客权限 ✗ 闲置的工作空间管理员权限 ✗ 孤立账户
undefined

Role Lifecycle

角色生命周期

markdown
undefined
markdown
undefined

User Lifecycle

用户生命周期

Onboarding:
  1. Create via SSO/JIT
  2. Assign default role
  3. Add to relevant workspaces
  4. Provide training
Role Change:
  1. Request from manager
  2. Approve by workspace admin
  3. Update role
  4. Verify access
Offboarding:
  1. Triggered by HR system
  2. Disable account
  3. Revoke all access
  4. Transfer note ownership
  5. Archive after 30 days
undefined
入职:
  1. 通过SSO/JIT创建账户
  2. 分配默认角色
  3. 添加到相关工作空间
  4. 提供培训
角色变更:
  1. 由上级发起申请
  2. 由工作空间管理员审批
  3. 更新角色
  4. 验证权限
离职:
  1. 由HR系统触发
  2. 禁用账户
  3. 收回所有权限
  4. 转移笔记所有权
  5. 30天后归档账户
undefined

Resources

资源

Next Steps

后续步骤

Proceed to 
granola-migration-deep-dive
for migration from other tools.
如需从其他工具迁移,请查看
granola-migration-deep-dive