ReddRadar
Agent skill
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
Install this agent skill to your Project
npx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/main/plugins/saas-packs/vercel-pack/skills/vercel-enterprise-rbac
SKILL.md
Vercel Enterprise RBAC
Overview
Configure Vercel's role-based access control (RBAC) with team roles, project-level access groups, SSO/SAML integration, and audit logging. Covers the two access control planes: team-level (who can deploy) and application-level (who can access deployed content).
Prerequisites
- Vercel Pro or Enterprise plan
- Identity Provider (IdP) with SAML 2.0 support (for SSO)
- Understanding of your organization's access requirements
Instructions
Step 1: Understand Vercel's Role Model
Team-Level Roles:
| Role | Deploy Prod | Manage Projects | Manage Billing | Manage Members |
|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Yes |
| Member | Yes | Yes | No | No |
| Developer | Preview only | Limited | No | No |
| Viewer | No | Read-only | No | No |
| Security (Enterprise) | No | Security settings | No | No |
Extended Permissions (Enterprise): Layer on top of base roles for granular control:
- Deploy to production
- Manage environment variables
- Manage domains
- Access runtime logs
- Manage integrations
Step 2: Configure Team Members via API
# Invite a team member
curl -X POST "https://api.vercel.com/v1/teams/team_xxx/members" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "developer@company.com",
"role": "DEVELOPER"
}'
# List team members
curl -s -H "Authorization: Bearer $VERCEL_TOKEN" \
"https://api.vercel.com/v2/teams/team_xxx/members" \
| jq '.members[] | {name: .name, email: .email, role: .role}'
# Update a member's role
curl -X PATCH "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{"role": "MEMBER"}'
# Remove a team member
curl -X DELETE "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN"
Step 3: Access Groups (Project-Level Permissions)
Access Groups assign teams of people to specific projects with specific roles:
- Go to Team Settings > Access Groups
- Create a group (e.g., "Frontend Team", "Backend Team")
- Add members to the group
- Assign the group to specific projects with a role
Example Access Group Setup:
├── Frontend Team → [project-web, project-docs] → Member role
├── Backend Team → [project-api, project-worker] → Member role
├── DevOps Team → [all projects] → Member role
└── QA Team → [all projects] → Viewer role
Step 4: SSO / SAML Configuration
In the Vercel dashboard: Team Settings > Authentication > SAML Single Sign-On
- Enable SAML SSO
- Configure your IdP (Okta, Azure AD, Google Workspace):
- ACS URL:
https://vercel.com/api/auth/saml/acs - Entity ID:
https://vercel.com - Name ID format:
emailAddress
- ACS URL:
- Enter IdP metadata URL or upload certificate
- Map SAML attributes to Vercel fields
SAML Attribute Mapping:
├── email → user email (required)
├── firstName → display name
├── lastName → display name
└── groups → Vercel team roles (optional)
Enforce SSO for all team members: Once enabled, toggle "Require SAML for login" — all members must authenticate through SSO.
Step 5: Application-Level Auth with Middleware
// middleware.ts — enforce auth on deployed application routes
import { NextRequest, NextResponse } from 'next/server';
import { verifyJWT } from '@/lib/auth';
const ROLE_ROUTES: Record<string, string[]> = {
'/admin': ['admin'],
'/dashboard': ['admin', 'member'],
'/api/admin': ['admin'],
};
export async function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
// Check if route requires auth
const requiredRoles = Object.entries(ROLE_ROUTES)
.find(([prefix]) => pathname.startsWith(prefix));
if (!requiredRoles) return NextResponse.next();
const token = request.cookies.get('session')?.value;
if (!token) {
return pathname.startsWith('/api')
? NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
: NextResponse.redirect(new URL('/login', request.url));
}
const payload = await verifyJWT(token);
if (!payload || !requiredRoles[1].includes(payload.role)) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}
// Pass user info to API routes via headers
const response = NextResponse.next();
response.headers.set('x-user-id', payload.sub);
response.headers.set('x-user-role', payload.role);
return response;
}
export const config = {
matcher: ['/admin/:path*', '/dashboard/:path*', '/api/admin/:path*'],
};
Step 6: Audit Logging
Vercel Enterprise includes audit logs in Team Settings > Audit Log.
Events tracked:
- Team member added/removed/role changed
- Project created/deleted
- Deployment to production
- Environment variable created/updated/deleted
- Domain added/removed
- Integration installed/uninstalled
- SSO configuration changes
# Export audit logs via API (Enterprise)
curl -s -H "Authorization: Bearer $VERCEL_TOKEN" \
"https://api.vercel.com/v1/teams/team_xxx/audit-log?limit=100" \
| jq '.events[] | {action: .action, user: .user.email, createdAt: .createdAt, resource: .resource}'
RBAC Checklist
| Check | Status |
|---|---|
| Team roles assigned per least privilege | Required |
| Production deploy restricted to Member+ | Required |
| Access Groups configured per project | Recommended |
| SSO/SAML enforced for all members | Enterprise |
| Audit logging exported to SIEM | Enterprise |
| Application-level auth in middleware | Required |
| Off-boarding removes Vercel access via IdP | Required |
Output
- Team roles configured with least-privilege access
- Access Groups scoping members to specific projects
- SSO/SAML enforced for all team authentication
- Application-level RBAC in Edge Middleware
- Audit logs exported for compliance
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Member can't deploy to prod | Developer role (preview only) | Change to Member or Owner role |
| SSO login fails | IdP metadata URL expired | Update SAML configuration |
| Access Group not applied | Member not in group | Add member to the Access Group |
| Audit log missing events | Free/Pro plan limitation | Upgrade to Enterprise for audit logs |
| Off-boarded user still has access | SSO not enforced | Enable "Require SAML for login" |
Resources
Next Steps
For migration strategies, see vercel-migration-deep-dive.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
jeremylongshore/claude-code-plugins-plus-skills
dockerfile-generator
Dockerfile Generator - Auto-activating skill for DevOps Basics. Triggers on: dockerfile generator, dockerfile generator Part of the DevOps Basics skill category.
jeremylongshore/claude-code-plugins-plus-skills
branch-naming-helper
Branch Naming Helper - Auto-activating skill for DevOps Basics. Triggers on: branch naming helper, branch naming helper Part of the DevOps Basics skill category.
jeremylongshore/claude-code-plugins-plus-skills
readme-generator
Readme Generator - Auto-activating skill for DevOps Basics. Triggers on: readme generator, readme generator Part of the DevOps Basics skill category.
jeremylongshore/claude-code-plugins-plus-skills
makefile-generator
Makefile Generator - Auto-activating skill for DevOps Basics. Triggers on: makefile generator, makefile generator Part of the DevOps Basics skill category.
jeremylongshore/claude-code-plugins-plus-skills
gitignore-generator
Gitignore Generator - Auto-activating skill for DevOps Basics. Triggers on: gitignore generator, gitignore generator Part of the DevOps Basics skill category.
jeremylongshore/claude-code-plugins-plus-skills
pre-commit-hook-setup
Pre Commit Hook Setup - Auto-activating skill for DevOps Basics. Triggers on: pre commit hook setup, pre commit hook setup Part of the DevOps Basics skill category.
Didn't find tool you were looking for?