> coderabbit-enterprise-rbac
Configure CodeRabbit enterprise access control, seat management, and organization policies. Use when managing who gets AI reviews, configuring organization-level defaults, or implementing access policies for CodeRabbit across teams. Trigger with phrases like "coderabbit SSO", "coderabbit RBAC", "coderabbit enterprise", "coderabbit roles", "coderabbit permissions", "coderabbit seats".
curl "https://skillshub.wtf/jeremylongshore/claude-code-plugins-plus-skills/coderabbit-enterprise-rbac?format=md"CodeRabbit Enterprise RBAC
Overview
Manage CodeRabbit AI code review access across an enterprise organization. CodeRabbit inherits repository permissions from your Git provider -- if a developer has write access to a repo and opens a PR, CodeRabbit reviews it. Enterprise controls focus on seat management, repository scoping, organization-level configuration, and review policy enforcement.
Prerequisites
- CodeRabbit Pro or Enterprise plan
- GitHub Organization admin or GitLab Group owner role
- CodeRabbit GitHub App installed on the organization
- Access to CodeRabbit dashboard at app.coderabbit.ai
Access Control Model
GitHub/GitLab Org Permissions
│
▼
┌─────────────────────────┐
│ CodeRabbit GitHub App │
│ Repository Access: │
│ ├── All repositories │ ← Reviews every PR in the org
│ └── Select repos only │ ← Reviews only selected repos
└─────────┬───────────────┘
│
▼
┌─────────────────────────┐
│ Seat Assignment │
│ ├── Active committers │ ← Auto-assigns seats to PR authors
│ └── Manual assignment │ ← Admin picks who gets seats
└─────────┬───────────────┘
│
▼
┌─────────────────────────┐
│ .coderabbit.yaml │
│ ├── Org-level defaults │ ← .github repo
│ └── Repo-level overrides│ ← Per-repo customization
└─────────────────────────┘
Instructions
Step 1: Control Repository Access
# In GitHub > Organization > Settings > Installed Apps > CodeRabbit:
Option A: "All repositories" (org-wide)
- Every repo gets AI reviews automatically
- New repos are covered immediately
- Higher seat count (every PR author = seat)
Option B: "Only select repositories" (targeted)
- Choose which repos get AI reviews
- Lower seat count
- New repos must be manually added
# Recommended: Start with Option B (select repos)
# Add repos in tiers based on risk/value
Step 2: Configure Seat Management
# In CodeRabbit Dashboard > Organization > Subscription:
1. Seat Policy Options:
- "Active committers" → Auto-assign to anyone who opens a PR
- "Manual assignment" → Admin explicitly assigns seats
2. Exclude Bot Accounts:
- dependabot[bot]
- renovate[bot]
- github-actions[bot]
- Any CI service accounts
3. Monitor Seat Usage:
- Active seats: developers who opened PRs in last 30 days
- Idle seats: no PR activity in 30+ days → candidates for removal
# Billing: ~$15/seat/month (Pro), custom (Enterprise)
# Only PR authors consume seats, not reviewers or commenters
Step 3: Set Organization-Level Defaults
# .github/.coderabbit.yaml (in the .github repo)
# Applied to ALL repos unless overridden by repo-level config
language: "en-US"
reviews:
profile: "assertive"
request_changes_workflow: false
high_level_summary: true
review_status: true
poem: false
sequence_diagrams: true
auto_review:
enabled: true
drafts: false
ignore_title_keywords:
- "WIP"
- "DO NOT MERGE"
- "chore: bump"
path_filters:
- "!**/*.lock"
- "!**/*.snap"
- "!**/generated/**"
- "!dist/**"
- "!vendor/**"
# Organization-wide coding standards
path_instructions:
- path: "**"
instructions: |
Org-wide rules:
1. Flag hardcoded secrets, API keys, or credentials
2. Check for proper error handling (no empty catch blocks)
3. Verify input validation on API endpoints
chat:
auto_reply: true
Step 4: Team-Specific Repository Overrides
# .coderabbit.yaml in a specific repo (overrides org defaults)
reviews:
profile: "assertive" # Can override org default
request_changes_workflow: true # This repo requires CR approval
auto_review:
enabled: true
base_branches:
- main # Only review PRs targeting main
drafts: false
path_instructions:
- path: "src/auth/**"
instructions: |
SECURITY-CRITICAL path. Check for:
- Auth bypass vulnerabilities
- Injection attacks
- Improper session handling
- Token validation gaps
- path: "src/payments/**"
instructions: |
PCI-SENSITIVE path. Check for:
- Credit card data handling
- Proper encryption usage
- Audit logging of financial operations
- path: "migrations/**"
instructions: |
Verify: backward compatibility, rollback safety,
no data loss on down migration.
Step 5: Audit Review Activity
set -euo pipefail
ORG="${1:-your-org}"
echo "=== CodeRabbit Org-Wide Review Audit ==="
echo "Organization: $ORG"
echo ""
# List repos with CodeRabbit installed
echo "--- Repos with CodeRabbit ---"
for REPO in $(gh repo list "$ORG" --limit 50 --json name --jq '.[].name'); do
INSTALLED=$(gh api "repos/$ORG/$REPO/installation" --jq '.app_slug' 2>/dev/null || echo "none")
if [ "$INSTALLED" = "coderabbitai" ]; then
# Count recent reviews
REVIEWS=$(gh api "repos/$ORG/$REPO/pulls?state=closed&per_page=10" --jq '.[].number' 2>/dev/null | \
head -5 | xargs -I{} gh api "repos/$ORG/$REPO/pulls/{}/reviews" \
--jq '[.[] | select(.user.login=="coderabbitai[bot]")] | length' 2>/dev/null | \
awk '{sum+=$1} END {print sum+0}')
echo " $REPO: $REVIEWS reviews (last 5 PRs)"
fi
done
Step 6: Enterprise SSO and Compliance
# CodeRabbit Enterprise plan includes:
1. SSO Integration:
- GitHub Enterprise Cloud SSO (SAML)
- GitLab SAML SSO
- Automatic seat provisioning via SCIM
2. Data Residency:
- Code is processed and not stored (ephemeral analysis)
- Review comments stored in your Git provider (GitHub/GitLab)
- CodeRabbit learnings stored on CodeRabbit servers
- SOC 2 Type II certified
3. Compliance Features:
- Audit logs available in enterprise dashboard
- Data processing agreement (DPA) available
- Custom data retention policies
- IP allowlisting for self-hosted GitLab
# Contact: enterprise@coderabbit.ai for custom plans
Output
- Repository access scoped to appropriate repos
- Seat management configured with bot exclusions
- Organization-level defaults deployed
- Team-specific review policies applied
- Audit script for review activity monitoring
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| CodeRabbit not reviewing PRs | App not installed on repo | Add repo in GitHub App settings |
| Seat limit exceeded | Too many active committers | Remove inactive users or upgrade plan |
| Org config not applying | No .github repo in org | Create .github repo with .coderabbit.yaml |
| Repo config ignored | YAML syntax error | Validate YAML, check with @coderabbitai configuration |
| Bot consuming seats | Bot opens PRs | Exclude bot usernames in seat management |
Resources
Next Steps
For cost optimization, see coderabbit-cost-tuning.
> related_skills --same-repo
> fathom-cost-tuning
Optimize Fathom API usage and plan selection. Trigger with phrases like "fathom cost", "fathom pricing", "fathom plan".
> fathom-core-workflow-b
Sync Fathom meeting data to CRM and build automated follow-up workflows. Use when integrating Fathom with Salesforce, HubSpot, or custom CRMs, or creating automated post-meeting email summaries. Trigger with phrases like "fathom crm sync", "fathom salesforce", "fathom follow-up", "fathom post-meeting workflow".
> fathom-core-workflow-a
Build a meeting analytics pipeline with Fathom transcripts and summaries. Use when extracting insights from meetings, building CRM sync, or creating automated meeting follow-up workflows. Trigger with phrases like "fathom analytics", "fathom meeting pipeline", "fathom transcript analysis", "fathom action items sync".
> fathom-common-errors
Diagnose and fix Fathom API errors including auth failures and missing data. Use when API calls fail, transcripts are empty, or webhooks are not firing. Trigger with phrases like "fathom error", "fathom not working", "fathom api failure", "fix fathom".