apollo-enterprise-rbac
@jeremylongshore/apollo-enterprise-rbac
Enterprise role-based access control for Apollo.io. Use when implementing team permissions, restricting data access, or setting up enterprise security controls. Trigger with phrases like "apollo rbac", "apollo permissions", "apollo roles", "apollo team access", "apollo enterprise security".
Installation
$skills install @jeremylongshore/apollo-enterprise-rbac
Claude Code
Cursor
Copilot
Codex
Antigravity
Details
Pathplugins/saas-packs/apollo-pack/skills/apollo-enterprise-rbac/SKILL.md
Branchmain
Scoped Name@jeremylongshore/apollo-enterprise-rbac
Usage
After installing, this skill will be available to your AI coding assistant.
Verify installation:
skills listSkill Instructions
name: apollo-enterprise-rbac description: | Enterprise role-based access control for Apollo.io. Use when implementing team permissions, restricting data access, or setting up enterprise security controls. Trigger with phrases like "apollo rbac", "apollo permissions", "apollo roles", "apollo team access", "apollo enterprise security". allowed-tools: Read, Write, Edit, Bash(kubectl:), Bash(curl:) version: 1.0.0 license: MIT author: Jeremy Longshore jeremy@intentsolutions.io
Apollo Enterprise RBAC
Overview
Implement role-based access control for Apollo.io integrations with granular permissions, team isolation, and audit trails.
Role Hierarchy
Super Admin
|
+-- Admin
| |
| +-- Sales Manager
| | |
| | +-- Sales Rep
| |
| +-- Marketing Manager
| |
| +-- Marketing User
|
+-- Read Only
Permission Definitions
// src/lib/rbac/permissions.ts
export const PERMISSIONS = {
// Contact permissions
'contacts:read': 'View contact information',
'contacts:create': 'Add new contacts',
'contacts:update': 'Edit contact information',
'contacts:delete': 'Delete contacts',
'contacts:export': 'Export contact data',
'contacts:reveal_email': 'Reveal email addresses (uses credits)',
// Search permissions
'search:basic': 'Basic people search',
'search:advanced': 'Advanced search filters',
'search:bulk': 'Bulk search operations',
// Enrichment permissions
'enrich:person': 'Enrich individual contacts',
'enrich:company': 'Enrich company data',
'enrich:bulk': 'Bulk enrichment operations',
// Sequence permissions
'sequences:read': 'View sequences',
'sequences:create': 'Create new sequences',
'sequences:edit': 'Edit sequences',
'sequences:delete': 'Delete sequences',
'sequences:enroll': 'Add contacts to sequences',
'sequences:send': 'Send emails through sequences',
// Admin permissions
'admin:users': 'Manage users',
'admin:roles': 'Manage roles',
'admin:settings': 'Configure settings',
'admin:billing': 'View/manage billing',
'admin:audit': 'View audit logs',
'admin:api_keys': 'Manage API keys',
} as const;
export type Permission = keyof typeof PERMISSIONS;
Role Definitions
// src/lib/rbac/roles.ts
import { Permission } from './permissions';
interface Role {
name: string;
description: string;
permissions: Permission[];
inherits?: string[];
}
export const ROLES: Record<string, Role> = {
super_admin: {
name: 'Super Admin',
description: 'Full system access',
permissions: Object.keys(PERMISSIONS) as Permission[],
},
admin: {
name: 'Admin',
description: 'Administrative access without billing',
permissions: [
'contacts:read', 'contacts:create', 'contacts:update', 'contacts:delete', 'contacts:export',
'search:basic', 'search:advanced', 'search:bulk',
'enrich:person', 'enrich:company', 'enrich:bulk',
'sequences:read', 'sequences:create', 'sequences:edit', 'sequences:delete', 'sequences:enroll', 'sequences:send',
'admin:users', 'admin:roles', 'admin:settings', 'admin:audit',
],
},
sales_manager: {
name: 'Sales Manager',
description: 'Manage sales team and sequences',
permissions: [
'contacts:read', 'contacts:create', 'contacts:update', 'contacts:export', 'contacts:reveal_email',
'search:basic', 'search:advanced',
'enrich:person', 'enrich:company',
'sequences:read', 'sequences:create', 'sequences:edit', 'sequences:enroll', 'sequences:send',
],
},
sales_rep: {
name: 'Sales Representative',
description: 'Basic sales access',
permissions: [
'contacts:read', 'contacts:create', 'contacts:update', 'contacts:reveal_email',
'search:basic',
'enrich:person',
'sequences:read', 'sequences:enroll',
],
},
marketing_manager: {
name: 'Marketing Manager',
description: 'Manage marketing campaigns',
permissions: [
'contacts:read', 'contacts:export',
'search:basic', 'search:advanced', 'search:bulk',
'enrich:person', 'enrich:company', 'enrich:bulk',
'sequences:read', 'sequences:create', 'sequences:edit',
],
},
marketing_user: {
name: 'Marketing User',
description: 'Basic marketing access',
permissions: [
'contacts:read',
'search:basic',
'sequences:read',
],
},
read_only: {
name: 'Read Only',
description: 'View-only access',
permissions: [
'contacts:read',
'search:basic',
'sequences:read',
],
},
};
RBAC Service
// src/services/rbac/rbac.service.ts
import { User } from '../../models/user.model';
import { ROLES } from '../../lib/rbac/roles';
import { Permission } from '../../lib/rbac/permissions';
export class RBACService {
async getUserPermissions(userId: string): Promise<Permission[]> {
const user = await prisma.user.findUnique({
where: { id: userId },
include: {
roles: true,
customPermissions: true,
},
});
if (!user) {
return [];
}
const permissions = new Set<Permission>();
// Add role permissions
for (const role of user.roles) {
const roleDef = ROLES[role.name];
if (roleDef) {
roleDef.permissions.forEach(p => permissions.add(p));
}
}
// Add custom permissions
user.customPermissions.forEach(p => {
if (p.granted) {
permissions.add(p.permission as Permission);
} else {
permissions.delete(p.permission as Permission);
}
});
return Array.from(permissions);
}
async hasPermission(userId: string, permission: Permission): Promise<boolean> {
const permissions = await this.getUserPermissions(userId);
return permissions.includes(permission);
}
async hasAnyPermission(userId: string, permissions: Permission[]): Promise<boolean> {
const userPermissions = await this.getUserPermissions(userId);
return permissions.some(p => userPermissions.includes(p));
}
async hasAllPermissions(userId: string, permissions: Permission[]): Promise<boolean> {
const userPermissions = await this.getUserPermissions(userId);
return permissions.every(p => userPermissions.includes(p));
}
}
export const rbac = new RBACService();
Permission Middleware
// src/middleware/rbac.middleware.ts
import { Request, Response, NextFunction } from 'express';
import { rbac } from '../services/rbac/rbac.service';
import { Permission } from '../lib/rbac/permissions';
export function requirePermission(...permissions: Permission[]) {
return async (req: Request, res: Response, next: NextFunction) => {
const userId = req.user?.id;
if (!userId) {
return res.status(401).json({ error: 'Authentication required' });
}
const hasPermission = await rbac.hasAnyPermission(userId, permissions);
if (!hasPermission) {
// Audit failed access attempt
await auditLog.create({
action: 'PERMISSION_DENIED',
actor: userId,
resource: req.path,
metadata: { requiredPermissions: permissions },
});
return res.status(403).json({
error: 'Permission denied',
required: permissions,
});
}
next();
};
}
// Usage in routes
router.get('/contacts',
requirePermission('contacts:read'),
contactController.list
);
router.post('/contacts',
requirePermission('contacts:create'),
contactController.create
);
router.delete('/contacts/:id',
requirePermission('contacts:delete'),
contactController.delete
);
router.post('/search/bulk',
requirePermission('search:bulk', 'search:advanced'),
searchController.bulkSearch
);
Team-Based Access Control
// src/services/rbac/team-access.ts
export class TeamAccessService {
async getAccessibleContacts(
userId: string,
teamId: string
): Promise<string[]> {
// Check user's team membership
const membership = await prisma.teamMember.findFirst({
where: { userId, teamId },
include: { team: true },
});
if (!membership) {
return [];
}
// Build access scope
const accessScope = await this.buildAccessScope(userId, membership);
// Return contact IDs user can access
const contacts = await prisma.contact.findMany({
where: accessScope,
select: { id: true },
});
return contacts.map(c => c.id);
}
private async buildAccessScope(
userId: string,
membership: TeamMembership
): Promise<any> {
// Team admins can see all team contacts
if (membership.role === 'admin' || membership.role === 'manager') {
return { teamId: membership.teamId };
}
// Regular members see own contacts + shared
return {
OR: [
{ ownerId: userId },
{ sharedWith: { some: { userId } } },
{ teamId: membership.teamId, isPublic: true },
],
};
}
}
// Middleware for team-scoped access
export function requireTeamAccess(resourceType: string) {
return async (req: Request, res: Response, next: NextFunction) => {
const userId = req.user?.id;
const resourceId = req.params.id;
const hasAccess = await teamAccess.canAccessResource(
userId,
resourceType,
resourceId
);
if (!hasAccess) {
return res.status(403).json({
error: 'You do not have access to this resource',
});
}
next();
};
}
API Key Scoping
// src/lib/rbac/api-key-scope.ts
interface ApiKeyScope {
permissions: Permission[];
rateLimit: number;
ipAllowlist?: string[];
expiresAt?: Date;
}
export async function createScopedApiKey(
userId: string,
scope: ApiKeyScope
): Promise<string> {
// Validate user has the permissions they're granting
const userPermissions = await rbac.getUserPermissions(userId);
const invalidPermissions = scope.permissions.filter(
p => !userPermissions.includes(p)
);
if (invalidPermissions.length > 0) {
throw new Error(`Cannot grant permissions you don't have: ${invalidPermissions.join(', ')}`);
}
// Generate key
const apiKey = generateSecureKey();
// Store with scope
await prisma.apiKey.create({
data: {
key: hashApiKey(apiKey),
userId,
permissions: scope.permissions,
rateLimit: scope.rateLimit,
ipAllowlist: scope.ipAllowlist,
expiresAt: scope.expiresAt,
},
});
return apiKey;
}
// Middleware to enforce API key scope
export function enforceApiKeyScope(requiredPermissions: Permission[]) {
return async (req: Request, res: Response, next: NextFunction) => {
const apiKey = req.headers['x-api-key'];
if (!apiKey) {
return res.status(401).json({ error: 'API key required' });
}
const keyRecord = await prisma.apiKey.findFirst({
where: { key: hashApiKey(apiKey as string) },
});
if (!keyRecord) {
return res.status(401).json({ error: 'Invalid API key' });
}
// Check expiration
if (keyRecord.expiresAt && new Date() > keyRecord.expiresAt) {
return res.status(401).json({ error: 'API key expired' });
}
// Check IP allowlist
if (keyRecord.ipAllowlist?.length > 0) {
const clientIp = req.ip;
if (!keyRecord.ipAllowlist.includes(clientIp)) {
return res.status(403).json({ error: 'IP not allowed' });
}
}
// Check permissions
const hasPermission = requiredPermissions.every(
p => keyRecord.permissions.includes(p)
);
if (!hasPermission) {
return res.status(403).json({
error: 'API key lacks required permissions',
required: requiredPermissions,
});
}
next();
};
}
Admin Dashboard
// src/routes/admin/rbac.ts
router.get('/users/:id/permissions',
requirePermission('admin:users'),
async (req, res) => {
const permissions = await rbac.getUserPermissions(req.params.id);
res.json({ permissions });
}
);
router.post('/users/:id/roles',
requirePermission('admin:roles'),
async (req, res) => {
const { roles } = req.body;
await rbac.assignRoles(req.params.id, roles);
res.json({ success: true });
}
);
router.get('/audit/access-denied',
requirePermission('admin:audit'),
async (req, res) => {
const logs = await prisma.auditLog.findMany({
where: { action: 'PERMISSION_DENIED' },
orderBy: { createdAt: 'desc' },
take: 100,
});
res.json({ logs });
}
);
Output
- Role-based permission system
- Team-based access control
- API key scoping
- Permission middleware
- Admin dashboard endpoints
Error Handling
| Issue | Resolution |
|---|---|
| Missing permissions | Request role upgrade |
| Team access denied | Check team membership |
| API key scope error | Regenerate with correct scope |
| Role conflict | Higher role takes precedence |
Resources
Next Steps
Proceed to apollo-migration-deep-dive for migration strategies.
More by jeremylongshore
View allrabbitmq-queue-setup
1,004Rabbitmq Queue Setup - Auto-activating skill for Backend Development. Triggers on: rabbitmq queue setup, rabbitmq queue setup Part of the Backend Development skill category.
model-evaluation-suite
1,004evaluating-machine-learning-models: This skill allows Claude to evaluate machine learning models using a comprehensive suite of metrics. It should be used when the user requests model performance analysis, validation, or testing. Claude can use this skill to assess model accuracy, precision, recall, F1-score, and other relevant metrics. Trigger this skill when the user mentions "evaluate model", "model performance", "testing metrics", "validation results", or requests a comprehensive "model evaluation".
neural-network-builder
1,004building-neural-networks: This skill allows Claude to construct and configure neural network architectures using the neural-network-builder plugin. It should be used when the user requests the creation of a new neural network, modification of an existing one, or assistance with defining the layers, parameters, and training process. The skill is triggered by requests involving terms like "build a neural network," "define network architecture," "configure layers," or specific mentions of neural network types (e.g., "CNN," "RNN," "transformer").
oauth-callback-handler
1,004Oauth Callback Handler - Auto-activating skill for API Integration. Triggers on: oauth callback handler, oauth callback handler Part of the API Integration skill category.