name	sentry-enterprise-rbac
description	Configure enterprise role-based access control in Sentry. Use when setting up team permissions, SSO integration, or managing organizational access. Trigger with phrases like "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup".
allowed-tools	Read, Write, Edit, Grep
version	1.0.0
license	MIT
author	Jeremy Longshore <jeremy@intentsolutions.io>

Sentry Enterprise RBAC

Overview

Configure role-based access control for enterprise Sentry deployments.

Organization Structure

Hierarchy

Organization
├── Teams
│   ├── Team Members (with roles)
│   └── Team Projects (assigned)
└── Projects
    └── Project Settings

Team Structure Example

Organization: MyCompany
├── Team: Backend
│   ├── Members: alice (admin), bob (member)
│   └── Projects: api, worker, database
├── Team: Frontend
│   ├── Members: charlie (admin), dana (member)
│   └── Projects: web-app, mobile-app
└── Team: DevOps
    ├── Members: eve (owner)
    └── Projects: [all projects - admin access]

Role Definitions

Organization Roles

Role	Permissions
Owner	Full admin, billing, delete org
Manager	Manage teams, members, settings
Admin	Manage projects, integrations
Member	View issues, create alerts
Billing	Manage subscription only

Team Roles

Role	Permissions
Team Admin	Full team management
Contributor	Full issue access
Member	View and comment

Setting Up Teams

Create Team via Dashboard

Settings → Teams → Create Team
Set team name and slug
Assign initial members

Create Team via API

# Create team
curl -X POST \
  -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Backend Team", "slug": "backend"}' \
  "https://sentry.io/api/0/organizations/$ORG/teams/"

Add Members to Team

# Add member
curl -X POST \
  -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email": "developer@company.com"}' \
  "https://sentry.io/api/0/teams/$ORG/$TEAM/members/"

Project Access Control

Assign Project to Team

curl -X POST \
  -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
  "https://sentry.io/api/0/projects/$ORG/$PROJECT/teams/$TEAM/"

Remove Team from Project

curl -X DELETE \
  -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
  "https://sentry.io/api/0/projects/$ORG/$PROJECT/teams/$TEAM/"

SSO Integration

SAML Configuration

Settings → Auth → Configure SAML
Copy ACS URL and Entity ID to IdP
Upload IdP metadata or configure manually:
- IdP Entity ID
- SSO URL
- Certificate

SAML Attribute Mapping

<!-- Required attributes -->
<Attribute Name="email" />

<!-- Optional attributes -->
<Attribute Name="firstName" />
<Attribute Name="lastName" />
<Attribute Name="teams" />  <!-- For auto team assignment -->

SCIM Provisioning

# Enable SCIM
# Settings → Auth → SCIM

# SCIM endpoint
https://sentry.io/api/0/organizations/$ORG/scim/v2/

# Supported resources
- Users
- Groups (Teams)

Auto Team Assignment

// IdP sends team membership
{
  "teams": ["backend", "frontend"],
  "role": "member"
}

API Token Management

Create Organization Token

# Create token with specific scopes
curl -X POST \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CI/CD Token",
    "scopes": ["project:releases", "org:read"]
  }' \
  "https://sentry.io/api/0/organizations/$ORG/api-tokens/"

Token Scopes

project:read       - Read project data
project:write      - Modify projects
project:releases   - Create/manage releases
org:read          - Read org data
org:write         - Modify org settings
team:read         - Read team data
team:write        - Manage teams
member:read       - List members
member:write      - Manage members
event:read        - Read events/issues
event:write       - Modify issues
alerts:read       - Read alerts
alerts:write      - Manage alerts

Access Patterns

Team-Isolated Access

Team: Payment-Service
├── Projects: payment-api, payment-worker
├── Members: payment team only
└── Alerts: Route to #payment-alerts

Cross-Team Visibility

Team: SRE
├── Projects: ALL (read access)
├── Role: Manager (org-wide visibility)
└── Purpose: Incident response

Contractor Access

Role: Member (limited)
Access: Specific project only
Duration: Time-limited token
Audit: All actions logged

Audit Logging

Access Audit Log

# Get audit log entries
curl -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
  "https://sentry.io/api/0/organizations/$ORG/audit-logs/"

Audit Events Tracked

Member added/removed
Role changes
Project access changes
SSO configuration changes
API token creation
Settings modifications

Best Practices

Principle of Least Privilege

# Good: Minimal required access
developer:
  role: member
  teams: [their-team]
  projects: [their-projects]

# Avoid: Over-privileged access
developer:
  role: admin
  teams: [all]
  projects: [all]

Team Organization

# Organize by service ownership
teams:
  - name: auth-service
    projects: [auth-api, auth-worker]

  - name: platform
    projects: [all]
    role: read-only

# Not by function (leads to confusion)
teams:
  - name: backend  # Too broad
  - name: frontend # Too broad

Token Hygiene

Rotate tokens quarterly
Use specific scopes
Delete unused tokens
Audit token usage

sentry-enterprise-rbac

Install Skill

SKILL.md

Sentry Enterprise RBAC

Overview

Organization Structure

Hierarchy

Team Structure Example

Role Definitions

Organization Roles

Team Roles

Setting Up Teams

Create Team via Dashboard

Create Team via API

Add Members to Team

Project Access Control

Assign Project to Team

Remove Team from Project

SSO Integration

SAML Configuration

SAML Attribute Mapping

SCIM Provisioning

Auto Team Assignment

API Token Management

Create Organization Token

Token Scopes

Access Patterns

Team-Isolated Access

Cross-Team Visibility

Contractor Access

Audit Logging

Access Audit Log

Audit Events Tracked

Best Practices

Principle of Least Privilege

Team Organization

Token Hygiene

Resources