Why Use This This skill provides specialized capabilities for jeremylongshore's codebase.
Use Cases Developing new features in the jeremylongshore repository Refactoring existing code to follow jeremylongshore standards Understanding and working with jeremylongshore's codebase structure
Install Guide 2 steps 1 2 Install inside Ananke
Click Install Skill, paste the link below, then press Install.
https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/main/plugins/saas-packs/granola-pack/skills/granola-multi-env-setup Skill Snapshot Auto scan of skill assets. Informational only.
Valid SKILL.md Checks against SKILL.md specification
Updated At Apr 3, 2026, 03:47 AM
SKILL.md 171 Lines
Total Files 2
Total Size 7.5 KB
License MIT
---
name: granola-multi-env-setup
description: |
Configure Granola across multiple workspaces and teams with SSO/SCIM provisioning.
Use when setting up department-level workspaces, configuring user provisioning,
or managing enterprise-scale Granola deployments.
Trigger: "granola workspaces", "granola multi-team", "granola SSO",
"granola SCIM", "granola organization setup".
allowed-tools: Read, Write, Edit
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected] >
compatible-with: claude-code, codex, openclaw
tags: [saas, granola, deployment, scaling, enterprise]
---
# Granola Multi-Environment Setup
## Overview
Configure Granola for multi-workspace enterprise deployments with SSO-based user provisioning, per-workspace integration configuration, and compliance controls. Each workspace operates as an isolated unit with its own folders, integrations, sharing rules, and retention policies.
## Prerequisites
- Granola Enterprise plan ($35+/user/month)
- Organization admin access in Granola
- Identity provider configured (Okta, Azure AD, or Google Workspace)
- Team structure and workspace plan documented
## Instructions
### Step 1 — Plan Workspace Structure
Map your organization to Granola workspaces:
| Workspace | Owner | Members | Purpose |
|-----------|-------|---------|---------|
| Engineering | VP Engineering | All engineers | Sprint planning, architecture, standups |
| Sales | VP Sales | Sales team + SDRs | Discovery calls, demos, pipeline reviews |
| Product | Head of Product | PMs + designers | Customer feedback, design reviews, PRDs |
| Customer Success | CS Lead | CS managers | Onboarding calls, QBRs, escalations |
| HR | HR Director | HR team | Interviews, 1-on-1s, performance reviews |
| Executive | CEO | C-suite | Board meetings, strategy, M&A |
### Step 2 — Create Workspaces
1. Navigate to Organization Settings > **Workspaces**
2. For each workspace:
- **Name:** Department name (e.g., "Engineering")
- **Description:** Purpose and scope
- **Owner:** Department lead (Workspace Admin role)
- **Privacy:** Private (members only) or Internal (org-visible)
- **Default sharing:** Private for new notes
### Step 3 — Configure SSO and User Provisioning
**SSO Setup (Okta example):**
1. Organization Settings > **Security** > **SSO**
2. Choose SAML 2.0 or OIDC
3. Configure in your IdP:
- Entity ID: `https://app.granola.ai/sso/{org-slug}`
- ACS URL: `https://app.granola.ai/sso/callback`
- Name ID: Email address
4. Test with a pilot user before enforcing org-wide
**SCIM Provisioning:**
1. Organization Settings > **Security** > **SCIM**
2. Generate SCIM token
3. Configure in your IdP:
- SCIM endpoint: `https://api.granola.ai/scim/v2/{org-id}`
- Bearer token: Generated in step 2
4. Map IdP groups to Granola workspaces and roles:
| IdP Group | Granola Workspace | Role |
|-----------|------------------|------|
| `granola-engineering` | Engineering | Member |
| `granola-engineering-leads` | Engineering | Admin |
| `granola-sales` | Sales | Member |
| `granola-hr` | HR | Member |
| `granola-executives` | Executive | Admin |
**Just-in-Time (JIT) Provisioning:**
Enable JIT so users are auto-provisioned on first SSO login without manual invitation. Map their IdP groups to workspace membership.
### Step 4 — Configure Per-Workspace Integrations
Each workspace can have independent integration configurations:
| Workspace | Slack Channel | CRM | Notion Database | Task Tool |
|-----------|-------------|-----|----------------|-----------|
| Engineering | #eng-meetings | — | Engineering Wiki | Linear |
| Sales | #sales-notes | HubSpot | Sales Playbook | — |
| Product | #product-feedback | — | Product Insights | Linear |
| Customer Success | #cs-updates | Attio | CS Knowledge Base | — |
| HR | (none) | — | (none) | — |
| Executive | (none) | — | Private Board DB | — |
Configure in each workspace: Settings > Integrations. Each workspace's integrations are independent — connecting Slack in Engineering does not affect Sales.
### Step 5 — Set Compliance Controls Per Workspace
| Workspace | Data Retention (Notes) | Data Retention (Transcripts) | External Sharing | Audit Logging |
|-----------|----------------------|----------------------------|-----------------|---------------|
| Engineering | 2 years | 90 days | Allowed (admin approval) | On |
| Sales | 1 year | 90 days | Allowed (for client follow-up) | On |
| Product | 2 years | 90 days | Allowed (admin approval) | On |
| HR | **90 days** | **30 days** | **Prohibited** | On |
| Executive | **Custom (legal hold)** | **30 days** | **Prohibited** | On |
**Sensitive workspace hardening (HR, Executive):**
```
Workspace Settings > Security:
External sharing: Disabled
Public links: Disabled
Link expiration: 7 days (if any sharing enabled)
MFA required: Yes (beyond SSO)
Session timeout: 4 hours
AI training opt-out: Enforced
IP allowlist: Enabled (office IPs only)
```
### Step 6 — Role Hierarchy and Permissions
| Role | Create Notes | Share Internally | Share Externally | Manage Members | Manage Settings |
|------|-------------|-----------------|-----------------|---------------|----------------|
| Org Owner | Yes | Yes | Yes | Yes (all workspaces) | Yes (org-level) |
| Workspace Admin | Yes | Yes | Yes (if policy allows) | Yes (own workspace) | Yes (workspace) |
| Team Lead | Yes | Yes | Yes (if policy allows) | View only | No |
| Member | Yes | Yes | No (unless admin approves) | No | No |
| Viewer | No | Read-only | No | No | No |
| Guest | No | Single workspace read | No | No | No |
### Step 7 — Validate and Monitor
**Validation checklist:**
- [ ] All workspaces created with correct owners
- [ ] SSO login tested with users from each IdP group
- [ ] SCIM sync verified (user added to IdP group → appears in workspace)
- [ ] Per-workspace integrations tested with sample meetings
- [ ] Compliance settings verified for sensitive workspaces (HR, Executive)
- [ ] Cross-workspace search working for admin users
- [ ] Audit logs capturing expected events
**Ongoing monitoring:**
- Monthly: Review workspace membership, deactivate departed users
- Quarterly: Access review across all workspaces (principle of least privilege)
- Annual: Re-certify compliance settings, update retention policies
## Output
- Multi-workspace topology deployed and configured
- SSO and SCIM provisioning operational
- Per-workspace integrations connected and tested
- Compliance controls applied with sensitive workspace hardening
- Role hierarchy documented and enforced
## Error Handling
| Error | Cause | Fix |
|-------|-------|-----|
| User lands in wrong workspace | SSO group mapping incorrect | Fix IdP group → workspace mapping |
| SCIM sync fails | Token expired or endpoint wrong | Regenerate SCIM token, verify endpoint URL |
| Cross-workspace notes invisible | User not added to target workspace | Add user to workspace or grant Viewer role |
| Integration not syncing in workspace | Connected to different workspace | Reconnect integration within the correct workspace context |
| JIT provisioning creates duplicate users | Multiple IdP groups | Consolidate groups, ensure one user maps to one account |
## Resources
- [Granola Enterprise](https://www.granola.ai/security)
- [Signing In and Calendar Connection](https://docs.granola.ai/help-center/signing-in-and-connecting-your-calendar)
- [Sign In with Microsoft](https://docs.granola.ai/help-center/sign-in-with-microsoft)
- [Security Standards](https://docs.granola.ai/help-center/consent-security-privacy/our-security-standards)
## Next Steps
Proceed to `granola-observability` for meeting analytics and monitoring.
