企业级数据平台权限管理

v20260423

clay-enterprise-rbac

本指南详细介绍了在企业级数据工作空间（如Clay）中配置完善的角色权限控制（RBAC）和治理机制。内容涵盖了如何定义管理员、成员和查看者等不同角色权限，管理团队额度预算、隔离API密钥，以及执行季度访问审计，确保数据安全和团队协作的规范化。

SaaS 权限管理角色控制数据治理企业级

获取技能

190 次下载

概览

Clay Enterprise RBAC

Overview

Control access to Clay tables, enrichment credits, and integrations at the team level. Clay uses a workspace model where team members are assigned Admin, Member, or Viewer roles. This skill covers role assignment, credit budget allocation, API key isolation, and audit procedures.

Prerequisites

Clay Team or Enterprise plan
Workspace admin privileges
Understanding of team structure and data access needs

Instructions

Step 1: Define Role Matrix

Clay has three built-in roles with fixed permissions:

Capability	Admin	Member	Viewer
Manage workspace members	Yes	No	No
Manage billing and credits	Yes	No	No
Create/delete tables	Yes	Yes	No
Run enrichments	Yes	Yes	No
Configure integrations	Yes	No	No
Export data	Yes	Yes	Yes
View all tables	Yes	Yes	Yes

Recommended role assignments:

roles:
  admin:
    assign_to:
      - Revenue Operations Lead
      - GTM Engineering Lead
    why: "Controls billing, integrations, and team access"

  member:
    assign_to:
      - SDRs building prospect lists
      - Growth engineers building pipelines
      - Marketing ops running enrichment campaigns
    why: "Can create tables and run enrichments but can't change billing or integrations"

  viewer:
    assign_to:
      - Sales managers reviewing lead quality
      - Executives checking pipeline metrics
      - Finance reviewing credit usage
    why: "Read-only access to enriched data and exports"

Step 2: Invite and Manage Team Members

In Clay UI: Settings > Members > Invite

Best practices:

Use company email addresses (not personal)
Start new members as Viewers until they complete Clay training
Audit member list quarterly -- remove departed employees immediately

Step 3: Isolate API Keys by Integration

Create separate API keys for each downstream system to enable independent revocation:

api_keys:
  crm-sync-prod:
    purpose: "HubSpot CRM sync from Clay"
    used_by: "HTTP API column in Outbound Leads table"
    rotation: quarterly

  outbound-instantly:
    purpose: "Push qualified leads to Instantly.ai"
    used_by: "HTTP API column for outreach"
    rotation: quarterly

  internal-dashboard:
    purpose: "Pull enrichment metrics for internal dashboard"
    used_by: "Cron job reading Clay table stats"
    rotation: quarterly

  ci-testing:
    purpose: "Integration tests in CI pipeline"
    used_by: "GitHub Actions workflow"
    rotation: on-demand

Step 4: Set Credit Budget Controls

Since Clay doesn't have per-user credit budgets natively, implement controls at the table level:

// src/clay/budget-controls.ts
interface TableBudget {
  tableId: string;
  tableName: string;
  maxRows: number;           // Prevent over-enrichment
  autoEnrich: boolean;       // Control automatic processing
  owner: string;             // Team member responsible
  monthlyCreditsEstimate: number;
}

const TABLE_BUDGETS: TableBudget[] = [
  {
    tableId: 'outbound-leads',
    tableName: 'Outbound Leads',
    maxRows: 5000,
    autoEnrich: true,
    owner: 'sdr-team@company.com',
    monthlyCreditsEstimate: 3000,
  },
  {
    tableId: 'event-attendees',
    tableName: 'Event Attendees',
    maxRows: 1000,
    autoEnrich: false,  // Manual trigger only
    owner: 'marketing@company.com',
    monthlyCreditsEstimate: 600,
  },
  {
    tableId: 'inbound-leads',
    tableName: 'Inbound Leads',
    maxRows: 2000,
    autoEnrich: true,
    owner: 'growth-eng@company.com',
    monthlyCreditsEstimate: 1200,
  },
];

function auditBudgets(budgets: TableBudget[]): void {
  const totalEstimate = budgets.reduce((sum, b) => sum + b.monthlyCreditsEstimate, 0);
  console.log(`=== Clay Credit Budget Audit ===`);
  for (const b of budgets) {
    console.log(`  ${b.tableName}: ${b.maxRows} rows, ~${b.monthlyCreditsEstimate} credits/mo (owner: ${b.owner})`);
  }
  console.log(`  Total monthly estimate: ${totalEstimate} credits`);
}

Step 5: Quarterly Access Audit

## Clay Workspace Access Audit Checklist

- [ ] Review all workspace members — remove former employees
- [ ] Verify role assignments match current job functions
- [ ] Check API key usage — revoke unused keys
- [ ] Review table access — archive unused tables
- [ ] Audit credit usage by table — identify waste
- [ ] Verify provider API key connections are current
- [ ] Update API key rotation log
- [ ] Review and update table row limits
- [ ] Check webhook submission counts (approaching 50K?)
- [ ] Document any new tables or integrations added

Error Handling

Issue	Cause	Solution
`403` on table creation	User is Viewer role	Upgrade to Member role
Credits exhausted mid-campaign	No budget cap on table	Set max_rows on table
Integration key rejected	Key was revoked	Generate new key, update integration config
Unauthorized data export	Viewer exported sensitive data	Review export audit log
Former employee still has access	No offboarding process	Immediate removal on departure

Resources

Next Steps

For migration strategies, see clay-migration-deep-dive.

信息

Category 产品商业

Name clay-enterprise-rbac

版本 v20260423

大小 5.89KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28