In Organization Settings > Members:

1. Invite members:
   - Click "Invite" > enter email
   - Select role: Admin, Manager, Editor, or Viewer
   - Member receives email invitation

2. Bulk management (2025+):
   - CSV export of all members
   - Sort/filter by role, activity, last login
   - Bulk role changes

3. Role assignment strategy:
   - Owners: 1-2 (billing + full admin)
   - Admins: team leads (manage members + deploy)
   - Managers: senior devs (deploy to staging)
   - Editors: developers (create + code)
   - Viewers: stakeholders (read-only access)

Enterprise plan enables custom permission groups:

1. Organization Settings > Groups
2. Create group: e.g., "Backend Team"
3. Assign permissions:
   - Access to specific Repls
   - Deployment permissions (staging only, or all)
   - AI feature access
4. Add members to group

Example groups:
- "Frontend Team": access to UI Repls, deploy to staging
- "DevOps": all Repls, deploy to production, manage secrets
- "Contractors": specific Repls only, no deployment access
- "QA": read all, deploy to staging, no production

Organization Settings > Security > SSO:

1. Choose provider:
   - Okta
   - Azure Active Directory
   - Google Workspace
   - Any SAML 2.0 compatible IdP

2. Configure SAML:
   - ACS URL: provided by Replit
   - Entity ID: provided by Replit
   - Certificate: from your IdP
   - Map IdP groups to Replit roles

3. Enable enforcement:
   - "Require SSO": blocks password-based login
   - Session timeout: recommended 12 hours
   - IdP-initiated logout support

4. Test:
   - Try login with SSO before enforcing
   - Verify role mapping works correctly
   - Test session timeout behavior

Control who can deploy and where:

Organization Settings > Deployments > Permissions:

Production deployments:
- Restrict to Admin + Owner only
- Require approval workflow (Enterprise)
- Custom domain management: Admin only

Staging deployments:
- Allow Managers and above
- Auto-deploy from staging branch

Development:
- All Editors can run in Workspace
- Dev database access for all team members

# View recent team activity
curl "https://replit.com/api/v1/teams/TEAM_ID/audit-log?limit=50" \
  -H "Authorization: Bearer $REPLIT_TOKEN" | \
  jq '.events[] | {user, action, resource, timestamp}'

# Common audit events:
# - member.invited
# - member.removed
# - member.role_changed
# - repl.created
# - repl.deleted
# - deployment.created
# - deployment.rolled_back
# - secret.created
# - secret.deleted

Enterprise audit features:
- Exportable audit logs (CSV)
- 90-day retention
- Filter by user, action, resource
- API access for SIEM integration

## Access Review Checklist (run quarterly)

1. Export member list from Organization Settings
2. Review each member:
   - [ ] Last active date within 30 days?
   - [ ] Role appropriate for current responsibilities?
   - [ ] Still on the team/project?
3. Actions:
   - Remove members not active in 30+ days
   - Downgrade over-privileged members
   - Upgrade members needing more access
4. Document changes and rationale
5. Verify SSO group mappings still accurate

Cost impact:
- Each removed seat saves $25-40/month
- Quarterly review prevents seat creep

Replit AI features (Agent, Assistant, Ghostwriter):

Organization Settings > AI Features:
- Enable/disable AI for entire organization
- Per-role AI access (Enterprise)
- Usage tracking per member

Controls:
- Agent: can create files, install packages, deploy
- Assistant: code suggestions, chat
- Ghostwriter: inline completions

Recommendation:
- Enable AI for all developers (Editors+)
- Restrict Agent deployment to Managers+
- Monitor AI usage via dashboard