windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
What this skill does
# Windsurf Enterprise RBAC
## Overview
Manage enterprise Windsurf deployment: SSO/SAML configuration, role-based seat management, organization-wide AI policies, and admin portal controls. Covers Teams and Enterprise plan features.
## Prerequisites
- Windsurf Teams ($30/user/mo) or Enterprise (custom pricing) plan
- Organization admin access at windsurf.com/dashboard
- Identity provider for SSO (Enterprise only): Okta, Entra ID, Google Workspace
## Instructions
### Step 1: Configure SSO / SAML (Enterprise Only)
Navigate to Admin Dashboard > Security > SSO:
```yaml
# SSO Configuration Steps
sso_setup:
1_choose_idp:
supported: ["Okta", "Microsoft Entra ID", "Google Workspace", "Any SAML 2.0 IdP"]
2_configure_saml:
entity_id: "https://windsurf.com/saml/your-org-id"
acs_url: "https://windsurf.com/saml/callback"
# Get these from Admin Dashboard > SSO > SAML Configuration
3_idp_settings:
# Configure in your IdP:
sign_on_url: "https://windsurf.com/saml/login/your-org-id"
audience_uri: "https://windsurf.com/saml/your-org-id"
name_id_format: "emailAddress"
attribute_statements:
email: "user.email"
firstName: "user.firstName"
lastName: "user.lastName"
4_enforce:
enforce_sso: true # Block password login after SSO is verified
auto_provision: true # New IdP users get Windsurf seats automatically
domain_restriction: ["yourcompany.com"] # Only allow company emails
```
### Step 2: Configure Roles and Permissions
```yaml
# Windsurf RBAC Model
roles:
owner:
description: "Organization owner — full control"
permissions:
- Manage billing and subscription
- Add/remove admins
- Configure SSO
- View all analytics
- Manage all seats
admin:
description: "Team administrator"
permissions:
- Add/remove members
- Assign seat tiers (Pro, Free)
- View team analytics
- Configure org-wide settings
- Manage MCP server allowlist
member:
description: "Standard developer"
permissions:
- Use assigned AI features
- Configure personal settings
- Create workspace rules
- Cannot view team analytics
# Assign roles via Admin Dashboard > Members > Edit Role
```
### Step 3: Organization-Wide AI Policies
```yaml
# Admin Dashboard > Settings > AI Policies
org_policies:
# Control which AI models are available
allowed_models:
- "swe-1"
- "swe-1-lite"
- "claude-sonnet"
# Disable models not approved by security team
# Terminal command execution controls
cascade_terminal:
max_execution_level: "normal" # Options: turbo, normal, manual
global_deny_list:
- "rm -rf"
- "sudo"
- "curl | bash"
- "DROP TABLE"
- "format"
# Data controls
data_policies:
telemetry: "off" # No telemetry for enterprise
data_retention: "zero" # Zero-data retention
code_context_sharing: "workspace_only" # AI sees only current workspace
# Feature controls
feature_flags:
previews_enabled: true
mcp_enabled: true
workflows_enabled: true
auto_deploy_enabled: false # Disable direct deployment from IDE
```
### Step 4: Seat Management Workflow
```yaml
# Seat lifecycle management
seat_management:
onboarding:
1. "Admin invites user via Admin Dashboard > Members > Invite"
2. "User receives email with SSO login link"
3. "SSO authenticates user with company IdP"
4. "User gets assigned tier (Pro/Free) based on role"
5. "User opens project — .windsurfrules provides context"
offboarding:
1. "Disable user in IdP (SSO will auto-block)"
2. "Remove seat in Admin Dashboard > Members"
3. "Seat becomes available for reassignment"
4. "User's local memories/config remain on their machine"
tier_changes:
upgrade: "Admin Dashboard > Members > Select user > Change to Pro"
downgrade: "Admin Dashboard > Members > Select user > Change to Free"
note: "Downgraded users keep Supercomplete, lose Cascade Write mode"
```
### Step 5: Audit and Compliance
```yaml
# Admin Dashboard > Analytics > Audit
audit_capabilities:
available:
- User login events (SSO audit trail)
- Credit usage per user per day
- Feature usage patterns
- Seat assignment changes
- Admin actions
exportable:
- CSV export of member usage
- API access for SIEM integration (Enterprise)
compliance_certifications:
- SOC 2 Type II
- FedRAMP High
- HIPAA BAA (on request)
- GDPR compliant
```
### Step 6: Service Keys for API Access (Enterprise)
```yaml
# For programmatic access to admin APIs
service_keys:
purpose: "CI/CD integration, usage reporting, automated provisioning"
create: "Admin Dashboard > Settings > Service Keys > Create"
scopes:
- "admin:read" — read analytics and member data
- "admin:write" — manage members and settings
- "usage:read" — read usage metrics
rotation: "Rotate every 90 days, revoke immediately on compromise"
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| SSO login fails | SAML certificate expired | Update certificate in IdP and Windsurf |
| User can't access Cascade | No Pro seat assigned | Assign Pro tier in Admin Dashboard |
| Admin can't see analytics | Wrong role | Upgrade to admin role in Dashboard |
| New user auto-provisioned to wrong tier | Default tier not set | Configure default seat tier in Settings |
| Service key rejected | Expired or wrong scope | Generate new key with correct scopes |
## Examples
### Quick Admin Dashboard Tasks
```
Add user: Admin Dashboard > Members > Invite > [email protected]
Remove user: Members > Select > Remove from organization
Change tier: Members > Select > Change Plan > Pro/Free
View usage: Analytics > Overview (or per-member view)
```
### Team Structure Example
```yaml
engineering_org:
platform_team:
seats: 8
tier: Pro
admins: ["[email protected]"]
frontend_team:
seats: 6
tier: Pro
admins: ["[email protected]"]
design_team:
seats: 3
tier: Free # Mainly CSS, limited AI use
contractors:
seats: 4
tier: Free
note: "Temporary, upgrade to Pro if AI use increases"
```
## Resources
- [Windsurf Admin Guide](https://docs.windsurf.com/windsurf/guide-for-admins)
- [Windsurf Enterprise](https://windsurf.com/enterprise)
- [Windsurf Security](https://windsurf.com/security)
## Next Steps
For migration strategies, see `windsurf-migration-deep-dive`.
Related in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.