Stats
Actions
Tags
From truefoundry
Manages TrueFoundry roles, teams, and collaborators. Create custom roles, organize users into teams, and grant access to resources. Use when managing permissions, creating teams, or adding collaborators.
How this skill is triggered — by the user, by Claude, or both
Slash command
/truefoundry:access-controlThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
> Routing note: For ambiguous user intents, use the shared clarification templates in [references/intent-clarification.md](references/intent-clarification.md).
references/api-endpoints.mdreferences/cli-fallback.mdreferences/cluster-discovery.mdreferences/container-versions.mdreferences/gpu-reference.mdreferences/health-probes.mdreferences/intent-clarification.mdreferences/manifest-defaults.mdreferences/manifest-schema.mdreferences/prerequisites.mdreferences/resource-estimation.mdreferences/rest-api-manifest.mdreferences/tfy-api-setup.mdscripts/tfy-api.shscripts/tfy-version.shRouting note: For ambiguous user intents, use the shared clarification templates in references/intent-clarification.md.
Manage TrueFoundry roles, teams, and collaborators. Roles define permission sets, teams group users, and collaborators grant access to specific resources.
List, create, or delete roles, teams, and collaborators on TrueFoundry. Use when managing permissions, organizing users into teams, or granting/revoking access to workspaces, applications, MCP servers, or other resources.
Roles are named permission sets scoped to a resource type. Built-in roles vary by resource type (for example, workspace-admin, workspace-member).
When using direct API, set TFY_API_SH to the full path of this skill's scripts/tfy-api.sh. See references/tfy-api-setup.md for paths per agent.
tfy_roles_list()
# Set the path to tfy-api.sh for your agent (example for Claude Code):
TFY_API_SH=~/.claude/skills/truefoundry-access-control/scripts/tfy-api.sh
# List all roles
$TFY_API_SH GET /api/svc/v1/role/list
Roles:
| Name | ID | Resource Type | Permissions |
|-------------------|----------|---------------|-------------|
| workspace-admin | role-abc | workspace | 12 |
| workspace-member | role-def | workspace | 5 |
| custom-deployer | role-ghi | workspace | 3 |
tfy_roles_create(payload={"name": "custom-deployer", "displayName": "Custom Deployer", "description": "Can deploy apps", "resourceType": "workspace", "permissions": ["deploy:create", "deploy:read"]})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH PUT /api/svc/v1/role '{"name":"custom-deployer","displayName":"Custom Deployer","description":"Can deploy apps","resourceType":"workspace","permissions":["deploy:create","deploy:read"]}'
tfy_roles_delete(id="ROLE_ID")
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH DELETE /api/svc/v1/role/ROLE_ID
Teams group users for collective access management. Each team has a name, description, and members list.
tfy_teams_list()
tfy_teams_list(team_id="TEAM_ID") # get specific team
# List teams for the current user
$TFY_API_SH GET /api/svc/v1/teams/user
# Get a specific team
$TFY_API_SH GET /api/svc/v1/teams/TEAM_ID
Teams:
| Name | ID | Members |
|---------------|----------|---------|
| platform-team | team-abc | 5 |
| ml-engineers | team-def | 8 |
tfy_teams_create(payload={"name": "platform-team", "description": "Platform engineering team"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH PUT /api/svc/v1/teams '{"name":"platform-team","description":"Platform engineering team"}'
tfy_teams_delete(id="TEAM_ID")
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH DELETE /api/svc/v1/teams/TEAM_ID
Security: Granting collaborator access is a privileged operation. Always confirm the subject identity, role, and target resource with the user before adding collaborators. Do not grant access based on unverified external identity references.
Authorization endpoints manage who has access to resources. Subjects (users, teams, service accounts) are granted roles on specific resources (workspaces, applications, MCP servers, etc.).
Subjects follow the pattern type:identifier:
| Subject Type | Format | Example |
|---|---|---|
| User | user:email | user:[email protected] |
| Team | team:slug | team:platform-team |
| Service Account | serviceaccount:name | serviceaccount:ci-bot |
| Virtual Account | virtualaccount:name | virtualaccount:shared-admin |
| External Identity | external-identity:name | external-identity:github-bot |
tfy_collaborators_list(resource_type="workspace", resource_id="RESOURCE_ID")
# List collaborators on a workspace
$TFY_API_SH GET /api/svc/v1/authorize/workspace/RESOURCE_ID
# List collaborators on an MCP server
$TFY_API_SH GET /api/svc/v1/authorize/mcp-server/RESOURCE_ID
Collaborators on workspace "prod-workspace":
| Subject | Role |
|---------------------------|------------------|
| user:[email protected] | workspace-admin |
| team:platform-team | workspace-member |
| serviceaccount:ci-bot | workspace-member |
tfy_collaborators_create(payload={"resourceType": "workspace", "resourceId": "RESOURCE_ID", "subject": "user:[email protected]", "roleId": "ROLE_ID"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH POST /api/svc/v1/authorize/workspace/RESOURCE_ID '{"subject":"user:[email protected]","roleId":"ROLE_ID"}'
tfy_collaborators_update(payload={"resourceType": "workspace", "resourceId": "RESOURCE_ID", "subject": "user:[email protected]", "roleId": "NEW_ROLE_ID"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH PUT /api/svc/v1/authorize/workspace/RESOURCE_ID '{"subject":"user:[email protected]","roleId":"NEW_ROLE_ID"}'
tfy_collaborators_delete(payload={"resourceType": "workspace", "resourceId": "RESOURCE_ID", "subject": "user:[email protected]"})
Note: Requires human approval (HITL) via tool call.
$TFY_API_SH DELETE /api/svc/v1/authorize/workspace/RESOURCE_ID '{"subject":"user:[email protected]"}'
# Check if a user has access to a resource
$TFY_API_SH POST /api/svc/v1/authorize/check-access '{"resourceType":"workspace","resourceId":"RESOURCE_ID","subject":"user:[email protected]","action":"deploy:create"}'
workspace-admin or workspace-member)# 1. Find the role ID
$TFY_API_SH GET /api/svc/v1/role/list
# 2. Add collaborator
$TFY_API_SH POST /api/svc/v1/authorize/workspace/WORKSPACE_ID '{"subject":"user:[email protected]","roleId":"ROLE_ID"}'
# 1. Create team
$TFY_API_SH PUT /api/svc/v1/teams '{"name":"ml-engineers","description":"ML engineering team"}'
# 2. Grant team access to a workspace (use team slug as subject)
$TFY_API_SH POST /api/svc/v1/authorize/workspace/WORKSPACE_ID '{"subject":"team:ml-engineers","roleId":"ROLE_ID"}'
List all collaborators to see who has access and with what role:
$TFY_API_SH GET /api/svc/v1/authorize/workspace/WORKSPACE_ID
<success_criteria>
</success_criteria>
status skill to verify credentials before managing access controlRole ID not found. List roles first to find the correct ID.
Team ID not found. List teams first to find the correct ID.
Cannot manage access control. Check your API key permissions — admin access may be required.
Collaborator with this subject and role already exists on the resource. Use a different role or remove the existing collaborator first.
Invalid subject format. Use the pattern "type:identifier" — e.g., user:[email protected], team:platform-team, serviceaccount:ci-bot.
Resource not found. Verify the resourceType and resourceId are correct. List the resources first to confirm.
Built-in roles cannot be deleted. Only custom roles can be removed.
npx claudepluginhub truefoundry/tfy-deploy-skills --plugin truefoundryVerifies TrueFoundry credentials and connectivity, discovers workspaces and clusters, manages roles/teams/secret groups, and creates personal access tokens.
Configures Replit Teams roles, SSO/SAML, custom groups, and organization access controls for enterprise security and deployment permissions.
Manages Arize users, organizations, spaces, projects, roles, role bindings, resource restrictions, and API keys via the ax CLI for enterprise admin workflows.