Grammarly企业RBAC配置指南

v20260423

grammarly-enterprise-rbac

本指南详细介绍了Grammarly企业版中角色访问控制（RBAC）的配置与管理。内容涵盖组织管理员、团队管理员等不同角色的权限划分、API安全集成、用户权限审计以及如何确保系统符合HIPAA和SOC 2等合规标准。

Grammarly 企业级 RBAC 安全 API 治理 SaaS

获取技能

367 次下载

概览

Grammarly Enterprise RBAC

Overview

Grammarly enterprise deployments manage writing quality across teams with different access levels. Organization admins control style guides, tone profiles, and brand rules. Team admins assign seats and configure suggestion types (clarity, engagement, delivery). Members write with team defaults while guests get read-only access to shared documents. HIPAA and SOC 2 compliance in regulated industries require audit trails on who accessed which writing suggestions and AI detection results.

Role Hierarchy

Role	Permissions	Scope
Org Admin	Manage billing, SSO config, all style guides, API credentials	Organization-wide
Team Admin	Assign seats, configure suggestion settings, manage style guides	Own team
Member	Write with team settings, access scoring and AI detection APIs	Own team
Guest	View shared documents, read-only style guide access	Invited documents only
API Service	OAuth-scoped access to scoring, AI detection, plagiarism APIs	Per-credential scope

Permission Check

async function checkGrammarlyAccess(userId: string, team: string, scope: string): Promise<boolean> {
  const response = await fetch(`${GRAMMARLY_API}/organizations/${ORG_ID}/permissions`, {
    headers: { Authorization: `Bearer ${GRAMMARLY_OAUTH_TOKEN}`, 'Content-Type': 'application/json' },
  });
  const perms = await response.json();
  const userPerms = perms.members.find((m: any) => m.id === userId);
  if (!userPerms) return false;
  return userPerms.team === team && userPerms.scopes.includes(scope);
}

Role Assignment

async function assignTeamRole(email: string, team: string, role: 'admin' | 'member' | 'guest'): Promise<void> {
  await fetch(`${GRAMMARLY_API}/organizations/${ORG_ID}/teams/${team}/members`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${GRAMMARLY_OAUTH_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ email, role }),
  });
}

async function revokeTeamAccess(email: string, team: string): Promise<void> {
  await fetch(`${GRAMMARLY_API}/organizations/${ORG_ID}/teams/${team}/members/${email}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${GRAMMARLY_OAUTH_TOKEN}` },
  });
}

Audit Logging

interface GrammarlyAuditEntry {
  timestamp: string; userId: string; team: string;
  action: 'score_check' | 'ai_detection' | 'plagiarism_scan' | 'style_guide_edit' | 'seat_change';
  scope: string; documentId?: string; result: 'allowed' | 'denied';
}

function logAccess(entry: GrammarlyAuditEntry): void {
  console.log(JSON.stringify({ ...entry, orgId: process.env.GRAMMARLY_ORG_ID }));
}

RBAC Checklist

Separate OAuth credentials per team, never share org-level keys
OAuth scopes limited to required APIs per team (score, AI, plagiarism)
Style guide editing restricted to team admins and above
Guest role enforced for external collaborators
API token rotation enforced quarterly
SSO/SAML configured for all user authentication
Seat usage audited monthly to reclaim inactive licenses

Error Handling

Issue	Cause	Fix
`401 Unauthorized` on API call	Expired OAuth token	Refresh token or regenerate credentials
User cannot access AI detection	Team lacks `ai-detection:read` scope	Add scope to team's OAuth client
Style guide edits not saving	User has member role, not admin	Promote to team admin or request admin to edit
Guest sees full suggestion set	Role not properly scoped on invite	Re-invite with explicit guest role
Seat limit reached	All team licenses assigned	Remove inactive members or purchase additional seats

Resources

Next Steps

See grammarly-security-basics.

信息

Category 编程开发

Name grammarly-enterprise-rbac

版本 v20260423

大小 4.43KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28