Manage team access to Replit workspaces, deployments, and AI features. Covers the built-in role system (Admin, Manager, Editor, Viewer), custom groups (Enterprise only), SSO/SAML integration, deployment permissions, and audit logging.
| Role | Create Repls | Deploy | Manage Members | Billing | AI Features |
|---|---|---|---|---|---|
| Owner | Yes | All | Yes | Yes | Yes |
| Admin | Yes | All | Yes | View only | Yes |
| Manager | Yes | Staging | Add/remove | No | Yes |
| Editor | Yes | No | No | No | Yes |
| Viewer | No | No | No | No | No |
In Organization Settings > Members:
1. Invite members:
- Click "Invite" > enter email
- Select role: Admin, Manager, Editor, or Viewer
- Member receives email invitation
2. Bulk management (2025+):
- CSV export of all members
- Sort/filter by role, activity, last login
- Bulk role changes
3. Role assignment strategy:
- Owners: 1-2 (billing + full admin)
- Admins: team leads (manage members + deploy)
- Managers: senior devs (deploy to staging)
- Editors: developers (create + code)
- Viewers: stakeholders (read-only access)
Enterprise plan enables custom permission groups:
1. Organization Settings > Groups
2. Create group: e.g., "Backend Team"
3. Assign permissions:
- Access to specific Repls
- Deployment permissions (staging only, or all)
- AI feature access
4. Add members to group
Example groups:
- "Frontend Team": access to UI Repls, deploy to staging
- "DevOps": all Repls, deploy to production, manage secrets
- "Contractors": specific Repls only, no deployment access
- "QA": read all, deploy to staging, no production
Organization Settings > Security > SSO:
1. Choose provider:
- Okta
- Azure Active Directory
- Google Workspace
- Any SAML 2.0 compatible IdP
2. Configure SAML:
- ACS URL: provided by Replit
- Entity ID: provided by Replit
- Certificate: from your IdP
- Map IdP groups to Replit roles
3. Enable enforcement:
- "Require SSO": blocks password-based login
- Session timeout: recommended 12 hours
- IdP-initiated logout support
4. Test:
- Try login with SSO before enforcing
- Verify role mapping works correctly
- Test session timeout behavior
Control who can deploy and where:
Organization Settings > Deployments > Permissions:
Production deployments:
- Restrict to Admin + Owner only
- Require approval workflow (Enterprise)
- Custom domain management: Admin only
Staging deployments:
- Allow Managers and above
- Auto-deploy from staging branch
Development:
- All Editors can run in Workspace
- Dev database access for all team members
# View recent team activity
curl "https://replit.com/api/v1/teams/TEAM_ID/audit-log?limit=50" \
-H "Authorization: Bearer $REPLIT_TOKEN" | \
jq '.events[] | {user, action, resource, timestamp}'
# Common audit events:
# - member.invited
# - member.removed
# - member.role_changed
# - repl.created
# - repl.deleted
# - deployment.created
# - deployment.rolled_back
# - secret.created
# - secret.deleted
Enterprise audit features:
- Exportable audit logs (CSV)
- 90-day retention
- Filter by user, action, resource
- API access for SIEM integration
## Access Review Checklist (run quarterly)
1. Export member list from Organization Settings
2. Review each member:
- [ ] Last active date within 30 days?
- [ ] Role appropriate for current responsibilities?
- [ ] Still on the team/project?
3. Actions:
- Remove members not active in 30+ days
- Downgrade over-privileged members
- Upgrade members needing more access
4. Document changes and rationale
5. Verify SSO group mappings still accurate
Cost impact:
- Each removed seat saves $25-40/month
- Quarterly review prevents seat creep
Replit AI features (Agent, Assistant, Ghostwriter):
Organization Settings > AI Features:
- Enable/disable AI for entire organization
- Per-role AI access (Enterprise)
- Usage tracking per member
Controls:
- Agent: can create files, install packages, deploy
- Assistant: code suggestions, chat
- Ghostwriter: inline completions
Recommendation:
- Enable AI for all developers (Editors+)
- Restrict Agent deployment to Managers+
- Monitor AI usage via dashboard
| Issue | Cause | Solution |
|---|---|---|
| Member can't deploy | Insufficient role | Promote to Manager or Admin |
| SSO redirect loop | Wrong ACS URL | Verify callback URL matches Replit config |
| Seat limit exceeded | Plan capacity reached | Remove inactive members or upgrade |
| Custom group not working | Not on Enterprise plan | Groups require Enterprise |
| AI features disabled | Org-level toggle off | Enable in Organization Settings > AI |
For data migration patterns, see replit-migration-deep-dive.