Reference Packet

This packet answers how a Claude Enterprise admin manages users, permissions, and security, for IT teams evaluating or rolling out Claude Enterprise. It's a direct extraction of the relevant Claude Help Center & Privacy Center articles (real text and live links, not screenshots), fetched 2026-07-13.

1. Roles and Permissions

Open source article ↗

What an individual can see and do in their Team or Enterprise plan account is dictated by their role. Roles are provisioned with the following permissions.

Important notes about the Primary Owner role:

  • Team and Enterprise organizations can only have one Primary Owner.

  • The Primary Owner seat uses one of your plan's licenses.

  • Your organization's Primary Owner can be a service account that isn't tied to an individual user.

  • If you're unsure of your organization's Primary Owner, you can check by going to Settings > Account.

About custom roles (Enterprise plans only): Enterprise plans support custom roles, which let you control feature access at the group level. Members with roles set to “Custom” have no default permissions—their access is determined entirely by the custom roles assigned to their groups. Because these members have no built-in permissions, they don't appear in the tables below.

To learn more, refer to the following articles:

Billing

User

Admin

Owner

Primary Owner

View/pay for invoices

Add/modify billing methods

Provision new seats

Chat Controls

User

Admin

Owner

Primary Owner

Create and modify chats

Use projects

Features and Integrations

User

Admin

Owner

Primary Owner

Enable native integrations

Enable custom integrations

Enable capabilities

Enable public projects

Membership Management

User

Admin

Owner

Primary Owner

Invite new members

Remove members/cancel invitations

Invite/remove new Admins/Owners

Modify roles

Prioritized Support Routing (Enterprise plan only)

User

Admin

Owner

Primary Owner

Prioritized Support routing

Security and Data Controls (Team and Enterprise plans)

User

Admin

Owner

Primary Owner

Request data exports

Request Primary Ownership transfers

Security and Data Controls (Enterprise plan only)

User

Admin

Owner

Primary Owner

Manage SSO / auth

Request audit logs

Manage data retention controls

Manage

feedback settings

Usage Analytics (Enterprise plans)

User

Admin

Owner

Primary Owner

View usage analytics

Usage Analytics (Team plans)

User

Admin

Owner

Primary Owner

View usage analytics

↑ Back to top

2. Set Up Role-Based Permissions on Enterprise Plans

Open source article ↗

This guide walks you through setting up role-based permissions for your Enterprise organization. This lets you control which features and connectors specific teams or groups of members can access, and delegate specific admin access like billing or user management, rather than giving everyone the same permissions.

Before you start, make sure you're familiar with:


Before you begin

You'll need Owner or Primary Owner access to your Enterprise organization, or a custom role with Identity & Access set to Manage.

Note: Some of these steps require more than the Identity & Access custom role: enabling features at the organization level requires the Owner role, and changing member roles requires User Management set to Manage.

Check which capabilities are enabled at the org level. Go to Organization settings and ensure you know which capabilities members can access currently. For settings managed by RBAC, both the org setting and role setting are required to be on for users to get access.

Back up your member list. Export a CSV of your current members from Organization settings > Members before making any changes. If something goes wrong during migration, this gives you a reference to restore access. See Manage members on Team and Enterprise plans.

Determine which teams or functions need each capability. For example, Engineering gets Claude Code + Fast Mode and Marketing gets Cowork + Web Search. From here, define your custom roles.

Dual-seat plans. If your organization is on a dual-seat Enterprise plan (with Chat and Chat + Claude Code seats), custom roles don't override seat-level restrictions. A member assigned to a Chat-only seat can't access Claude Code even if their custom role grants it. The same applies in reverse: if a member's custom role doesn't grant the chat capability, they won't have chat access regardless of their seat type. Plan your role structure with seat assignments in mind.

Note: "Chat + Claude Code" refers to a seat type on legacy dual-seat plans. The "chat" capability in custom roles is separate—it governs chat access for any member whose role is set to "Custom" on any plan.

Decide how you'll create groups. You can create groups manually in Claude, or sync them from your identity provider (IdP) via SCIM. You can also use both methods simultaneously. If you plan to use IdP groups from Okta, Entra ID, or another provider, make sure SCIM directory sync is configured. See Set up JIT or SCIM provisioning.

Add the connectors you plan to govern. Connector permissions only cover connectors that an Owner or Primary Owner has already added under Organization settings > Connectors and connected with admin credentials. Review your organization-wide tool policy there as well, since role grants narrow within it and can’t widen past it. See Use connectors to extend Claude’s capabilities.


Planning your role structure

Before creating anything, decide which features each team or group of members should have access to. Here are four common patterns:

Base plus additive roles

This is the recommended approach for most organizations. Create a "Standard Access" role for everyone with common features like web search, memory, and projects. Then create additive roles that grant specific capabilities — for example, a "Cowork Enabled" role that only adds Cowork. Assign all members to the base role through an "All Users" group, and add specific members to additional groups that layer on extra features.

This pattern is flexible because permissions are additive — combining a base role with additive roles composes cleanly without conflicts.

Tier-based roles

Create distinct tiers: "Full Access" with all features, "Standard Access" with most features, and "Restricted Access" with minimal features. Each member goes into exactly one group assigned to one tier.

Department-based roles

Create roles that map to departments: "Engineering" with chat, Cowork, Claude Code, and code execution; "Research" with chat, web search, memory, and projects; "Business" with chat, web search and projects only. Assign each department group to its corresponding role.

Admin delegation roles

Create roles that delegate parts of administration without granting the Owner role. A custom role with admin permissions does not need any user capabilities, and vice versa. You could create a "Finance" role that grants Billing access but no chat or Claude Code capability, or an "Engineering Lead" role that grants Claude Code plus Analytics view access. Learn more about admin permissions for custom roles.


Step 1: Audit your current settings

  1. Review which features are currently enabled or disabled at the organization level in Organization settings > Capabilities.

  2. Go to Organization settings > Members to export or review your member list.

  3. Note each member's current built-in role (User, Admin, or Owner).

  4. For each team or department, decide which features they need access to.

Image of the Organization settings page in Claude, with a box around the People section which contains three options: Members, Groups, and Roles.

Remember: any feature you want to control per-group must be enabled at the organization level. If a feature is toggled off at the organization level, no custom role can grant access to it.

Important: Unlike members with the User role, members assigned to custom roles don't automatically inherit organization-enabled capabilities. Every capability a "Custom" role member needs must be explicitly granted by a custom role assigned to one of their groups.


Step 2: Create custom roles

Create your custom roles before enabling any features or migrating members. This ensures your roles are ready to enforce access the moment features turn on.

  1. Click "Add role."

  2. Name the role and toggle the appropriate capabilities on the Capabilities tab.

  3. On the Permissions tab, set admin permissions for the role. See Step 3.

  4. On the Connectors tab, set connector permissions for the role. See Step 4.

  5. On the Models tab, set model access and a default model for the role. See Step 5.

  6. Click "Save role."

  7. Repeat for each role in your plan.

Role changes may take up to 15 minutes to take effect. Members may need to refresh their browser to see updated access.

See Manage custom roles on Enterprise plans for details on available capabilities, admin permissions, and connectors.


Step 3: Configure admin permissions (optional)

Set admin permissions on each role to delegate access to admin settings, like billing, user management, or privacy, without granting the Owner role. This step is optional. If you don't configure it, roles grant no admin access and administration stays with Owners and Primary Owners. For what each permission area covers, see Manage custom roles on Enterprise plans.

Locate the Permissions tab

  1. Open an existing role, or click “Add role” to create one.

  2. Select the Permissions tab, between Capabilities and Connectors.

Set admin permissions

The Permissions tab lists each admin area: Identity & Access, Billing, Analytics, Privacy, User Management, and Libraries. Set each admin area to one of the following options:

  • No access: The member doesn't see this area in their organization settings.

  • Can view: View grants read-only access. The member sees the same pages and settings as someone who can manage that area, but every control is disabled or shown as read-only. Use this permission level for compliance reviewers, finance auditors, security teams, or anyone who needs to see the configuration without changing it.

  • Can manage: Manage grants full read and write access to the area and includes view access.

Within an area, you grant all of View or all of Manage. You can't grant or restrict individual pages or settings.

Note: A role with Identity & Access set to Manage can create and edit groups and roles, including its own role definition. Members with this permission can expand their own access, so reserve it for trusted security and IT administrators.

Verify enforcement

Verify admin permissions after you’ve migrated members to "Custom" roles (Step 7). See Step 11: Verify and monitor.


Step 4: Configure connector permissions (optional)

Set connector permissions on each role to control which connectors, and which tools on those connectors, the role can use. This step is optional. If you don’t configure it, your roles fall back to the default behavior described below. For how the permission model works end to end, see Manage custom roles on Enterprise plans.

Important: When Anthropic enables connector permissions for your organization, every existing custom role is seeded with the “All connectors” grant at “Always allow.” Because “Always allow” is the most permissive grant, your organization-wide tool policy alone determines each member’s effective ceiling at enablement. Members neither gain nor lose access at enablement. Your first configuration pass narrows from that baseline.

Note: A newly created role defaults to “Needs approval” on every connector. The create-role flow steps through the Connectors tab so you see this default before saving. Raise a connector to “Always allow” or lower it to “Blocked” as needed.

Locate the Connectors tab

  1. Open an existing role, or click “Add role” to create one.

  2. Select the Connectors tab, next to Permissions.

The default settings for new roles are permissive. When creating or modifying a role, confirm the settings on each tab to avoid granting unintended permissions.

Set connector-level permissions

The Connectors tab lists an All connectors row at the top, followed by every connector your organization has added. Each row has a dropdown with four options:

  • Always allow: Every tool on the connector is available, and members can set their own approval to “Always allow.”

  • Needs approval: Every tool is available, but members confirm each call.

  • Blocked: The connector is hidden from members with this role.

  • Custom: Set each tool on the connector individually. See “Set per-tool permissions” below.

Choosing “Always allow,” “Needs approval,” or “Blocked” applies that level to every tool on the connector. The All connectors row works the same way one level up: it sets a baseline for every connector at once, including any connector you add later. Use it to set a role’s default, then override individual connectors.

Set per-tool permissions

Set a connector to Custom to reveal its tools as individual rows. Each tool has its own dropdown: “Always allow,” “Needs approval,” or “Blocked.”

Per-tool permissions let a role reach part of a connector. For example, with Jira set to Custom, its search_issues tool set to “Needs approval,” and every other Jira tool set to “Blocked,” members with the role can search Jira but nothing else. Claude only sees the tools you’ve granted, so asking it to create a ticket returns “I don’t have a tool for that” rather than an error.

Review cross-role conflicts

Because connector permissions are additive across roles, blocking a connector in one role has no effect on a member who also holds another role that grants it. Each connector row shows a warning when other roles grant the same connector at a different level. The warning names those roles and links to them, and the most permissive grant is the one that applies.

If you have unsaved edits when you open a linked role, you’re asked to discard them first.

Verify enforcement

Verify connector permissions after you’ve migrated members to "Custom" roles (Step 7). See Step 11: Verify and monitor.

Important: If your organization uses Claude Code, enabling connector permissions also applies your organization-wide tool policy to Claude Code. This can only narrow tool access there, never widen it, and it affects all members. Review your organization-wide tool policy before enablement if Claude Code is widely deployed. Connector permissions and Claude Code Managed Settings compose by most-restrictive. See Claude Code settings.


Step 5: Configure model access (optional)

Set model access on each role to control which Claude models the role can use, cap the maximum effort level per model, and choose the model new conversations start on. This step is optional; if you don't configure it, new roles can use every model that's enabled at the organization level, at any effort level, and start on the organization default model.

For how the model access and default model settings work end to end, see Manage model access for your organization and Set a default model for your organization.

Locate the Models tab

  1. Open an existing role, or click "Add role" to create one.

  2. Select the Models tab, next to Connectors.

Set model access

Under Model access, switch each model on or off for this role. Models disabled at the organization level appear but can't be enabled here until you turn them on for the organization in Organization settings > Models. Haiku models are always on and can't be disabled.

To cap the effort level a role can select on a model, click the gear icon next to the model and choose a level.

Under Default model, optionally select the model new conversations start on for this role. Only models the role has access to can be selected.

Verify enforcement

Verify model access after you've migrated members to "Custom" roles. See Step 11: Verify and monitor.


Step 6: Create groups and assign roles

  1. Click “Add group” to create a group for each team or tier in your plan.

  2. Add members to the appropriate groups.

  3. Assign each group to the custom roles you created in step 2.

If you use SCIM directory sync, you can sync groups from your identity provider instead of creating them manually. For details on SCIM group sync, see Manage groups and group spend limits on Enterprise plans.

Multiple organizations under the same parent organization: Groups are managed at the parent organization level and propagate to all child organizations. You may see members from other organizations listed in a group—this doesn't mean they have access to your organization. Custom roles assigned to a group only grant capabilities to members who are part of your specific organization.

If you request to move an organization from one parent to another (this is rare in practice), groups and roles will become undefined and you will need to re-create them.

Important: If your organization uses Invite only or JIT provisioning, you can only use manually created groups for RBAC. SCIM-synced groups aren't supported in these modes.


Step 7: Verify group and role assignments

Before migrating members to custom roles, confirm that every member you plan to migrate is in at least one group assigned to a custom role. Members who are migrated without group or role coverage will lose access to all governed features.

  1. Use the Role and Group filters to identify members who aren't assigned to any group.

  2. Alternatively, click "Export CSV" to download the full member list with role and group columns for review.

  3. Add any unassigned members to the appropriate groups before continuing.


Step 8: Migrate members to custom roles

For custom role capabilities to take effect, members must have their role set to "Custom." Members with the User, Admin, or Owner roles get their permissions from those roles directly, not from custom roles.

Important: Complete this step only after you’ve created your custom roles, configured admin and connector permissions if you’re using them, created your groups, and verified all members are assigned to groups. Members moved to custom roles before setup is complete will immediately lose access to all governed features and their previous role. Switching an Owner or Admin to custom roles removes their Owner or Admin access, so don't migrate Owners or Admins unless you intend to replace that access with custom role permissions.

Choose the migration path based on whether your organization already enabled group mappings:

Path A: Enable group mappings (only if already in use)

Use this path only if your organization already enabled group mappings for role assignment. If you aren't already using this setting, skip to Path B.

  1. In the role mappings section, assign the IdP groups you want governed by custom roles to the "Custom" role.

  2. Save your changes. Members in those IdP groups are migrated to "Custom" roles on the next sync.

Members in IdP groups mapped to "Custom" roles follow the permissions of the custom roles assigned to their groups in Claude. Members in IdP groups mapped to User follow the organization-level capability settings. If a member is in groups across both mappings, "Custom" roles take precedence.

Path B: Bulk assignment tool

Use this path if your organization hasn’t enabled group mappings.

Warning: If you didn’t already enable group mappings, do not enable it during RBAC setup. Enabling it without first assigning all members to mapped groups can result in members losing access to your organization.

  1. Use the Role and Group filters to select the members you want to migrate.

  2. Use the bulk assignment tool in the Members table to change the selected members' role to "Custom."

We recommend migrating a pilot group first—one team or department—and verifying their access is correct before expanding to the rest of the organization.

Gradual rollout

Whichever path you use, we recommend migrating in stages:

  1. Start with a pilot group of one team or department.

  2. After migration, verify the pilot group has the correct feature access based on their group and role assignments.

  3. If something isn't right, switch the affected members back to their previous role while you adjust.

  4. Expand to more members once you've confirmed the setup works.


Step 9: Enable features at the organization level

Only enable organization-level features after roles, groups, and member migration are complete. This ensures custom role capabilities are already in place, with no window where unauthorized members could access a feature.

For any feature you want to control per-group:

  1. Navigate to the feature's settings page in Organization settings (for example, Organization settings > Cowork).

  2. Enable the feature at the organization level.

Enabling a feature at the organization level doesn't mean everyone gets it—custom role permissions are already in place to control who can use it. Think of the organization-level toggle as making the feature "available for role-based assignment" rather than "on for everyone."


Step 10: Apply a group spend limit (usage-based orgs only)

Navigate to the “Usage” page to assign a per-user monthly spend limit to any group.

Note the following precedence rules:

  • Individual limits always override group limits, regardless of which is higher.

  • If a user belongs to multiple groups with different limits, the Multi-group spend limit setting under Spending defaults controls whether the higher or lower limit applies.

  • Org-wide limits remain the hard ceiling.

Membership changes take effect automatically—users inherit or lose limits as soon as their group membership changes. Relevant only for usage-based billing orgs.


Step 11: Verify and monitor

  1. Spot-check access: Open the "⋮" menu on a the right side of a member's row in Organization settings > Members and select "View effective role." The modal shows every capability, admin permission, and connector the member has across all their roles, with a "Granted by" label naming which role provides each one. You can do the same for a group from Organization settings > Groups. For details, see Manage custom roles on Enterprise plans.

  2. Test the restricted state: Log in as (or ask) a member who should not have a feature like Cowork. They should see it greyed out with the message "Contact your admin to request access to this feature."

  3. Test the granted state: Confirm a member who should have the feature sees it working normally.

  4. Check edge cases: Test members in multiple groups, members with no group, and new members joining via SSO.

If you configured admin permissions, also check:

  • Group and role assignments: Owners can verify a member's access by checking their group assignments on the Members page and the roles those groups are assigned to on the Roles page.

  • Organization settings: In organization settings, the member only sees the sections their admin permissions cover. Everything else is hidden from their settings. Members with view access see pages as read-only, with controls disabled.

  • Analytics access: Members with Analytics access will view analytics in Settings > Analytics, not organization settings.

If you configured connector permissions, also check:

  • Connector menu: blocked connectors don’t appear, and connectors with at least one granted tool do.

  • Connector settings: blocked tools are grayed out with “This tool is not enabled for your role. Contact your administrator.” Tools capped at “Needs approval” show a personal approval menu limited to “Ask” and “Never.”

  • In a conversation: ask Claude to use a blocked tool, and it reports it has no tool for the task. Ask it to use a “Needs approval” tool, and the approval prompt appears without an “Always allow” option.

If you configured model access, also check:

  • Model picker: disabled models don't appear, and the effort menu stops at the role's cap.

  • In a conversation: ask the member to switch to a disabled model. It shouldn't be listed, and in Claude Code CLI, /model <disabled-model> returns an error.

Role changes may take up to 15 minutes to take effect across the platform. Members may need to refresh their browser to see updated access.


Using SCIM with role-based capabilities

SCIM connects to your role-based capabilities through two mechanisms that work together.

IdP group-to-role mapping

This controls which built-in role a member gets when they're provisioned. Map your IdP groups to "Custom" roles so that new members' access is automatically governed by custom role capabilities.

  1. In the role mappings table, map your IdP groups to "Custom" roles.

Group sync

This pulls your IdP groups into Claude so they can be assigned to custom roles.

  1. Click “Check for updates” in the SCIM sync section.

  2. When prompted to sync Groups, Members, or Both, select Groups only. Syncing Members can affect provisioning and member access.

  3. Your IdP groups appear as SCIM-sourced groups in the list.

  4. Assign SCIM groups to custom roles just like manually created groups.

  5. In your IdP, only push the groups you actually intend to use for RBAC or spend limits. Syncing all IdP groups can slow page loads in the Groups section.

Note: Custom role permissions only apply to members with "Custom" roles selected in Organization settings > Members. If you map an IdP group to a different role (like User) through the group-to-role mapping but assign that same SCIM group to a custom role, the custom role's permissions have no effect—the member gets their permissions from their assigned role instead. To use custom roles, make sure the IdP group is mapped to "Custom."

Ongoing management with SCIM

  • To grant a member access to a feature, add them to the appropriate IdP group. On the next sync, they pick up the custom role assigned to that group.

  • To revoke access, remove them from the IdP group. On the next sync, the permission is removed.

  • Click “SCIM sync” in the Groups section to force an immediate sync rather than waiting for the next scheduled sync.


Rollback plan

If you notice your role structure is misconfigured after migration:

  1. Turn off any organization-level features that were enabled as part of the migration.

  2. Change affected members back to their previous built-in role (for example, User).

  3. They immediately regain the static permissions from that role, and custom role permissions stop applying.

  4. Adjust roles and groups as needed, then re-migrate.

If you enabled group mappings during setup and lost admin access, follow the recovery steps in Set up JIT or SCIM provisioning under "I lost Admin/Owner access after enabling group mappings."


Frequently asked questions

Do I need to enable a feature at the organization level if I only want some members to have it?

Yes. The organization-level toggle must be on for custom roles to control per-member access. If a feature is off at the organization level, no one can access it regardless of their role. Think of it as a main switch—custom roles control who gets access underneath it.

What happens if a member whose role is set to "Custom" isn't in any groups?

They have no custom role permissions, so all features that require permissions are greyed out or hidden. Make sure every member whose roles is set to "Custom" is in at least one group that's assigned to a custom role.

A model is missing from a member's model picker.

Either the model is disabled at the organization level (Organization settings > Models) or none of the member's custom roles grant it. Org-level disables affect everyone, including Owners and Admins.

What if a custom role doesn't grant chat access?

Members in that role won't see Claude's chat interface. They'll land on their settings page when they sign in. If their role grants other products like Cowork or Claude Code, those remain accessible from their settings page and from the relevant apps.

Chat is enabled by default in all custom roles, so you only need to worry about this if you intentionally toggled chat off for a role.

Can I use both built-in and custom roles?

Yes. Members with the User, Admin, or Owner roles are unaffected by custom role permissions because they get their permissions from those roles directly. Only members with a role set to "Custom" are controlled by the group-and-role system. This allows gradual migration.

What if a member is in two groups with different roles?

Permissions are additive. If any role in a member's chain grants a feature, they have it. You can't use a role to remove a permission granted by another role.

Can I use SCIM groups and manual groups together?

Yes. Both types can be assigned to custom roles. The difference is that SCIM group membership is managed in your identity provider, while manual group membership is managed in Claude's organization settings.

Are Owners and Primary Owners affected by custom role permissions?

No. Owners and Primary Owners always have full access to all features.

How does this work across parent and child organizations?

Groups and SCIM sync are managed at the parent organization level and shared across all child organizations. Role and spend limit assignments are configured independently in each child organization—changes in one child organization don't affect others. Group membership changes and SCIM resyncs propagate across all child organizations under the same parent.

What happens to my existing custom roles when connector permissions are enabled?

Each existing role is seeded with the “All connectors” grant at “Always allow,” so members’ access doesn’t change at enablement. You narrow access from there.

What’s the default connector permission on a new role?

“Needs approval” on every connector. The create-role flow steps through the Connectors tab so you see this before saving.

What happens when I add a new connector after my roles exist?

A role whose “All connectors” row is set to “Always allow,” “Needs approval,” or “Blocked” covers the new connector at that level automatically. A role whose “All connectors” row is set to “Custom” treats the new connector as “Blocked” until you set it.

I blocked a connector in a role, but a member with that role can still use it. Why?

Check whether the member holds another role that grants it, since the most permissive grant wins across roles. The conflict warning on the connector row lists those roles. Also confirm the member’s role is set to "Custom."

My organization-wide tool policy already blocks a tool. Do I need to block it in every role?

No. The organization-wide policy is the ceiling. A tool blocked there is blocked for everyone, regardless of role grants.

Can a role grant a tool that the organization-wide policy sets to “Needs approval”?

The role can grant it, but the stricter setting wins, so members see it capped at “Needs approval.” To let members set “Always allow,” raise the organization-wide policy to “Always allow” first.

Can I grant one tool on a connector without granting the whole connector?

Yes. Set the connector to “Custom,” set the one tool to “Always allow” or “Needs approval,” and leave the rest “Blocked.”

Do connector permissions apply to built-in tools like web search or code execution?

No. Built-in features are governed on the Capabilities tab. The Connectors tab governs connectors your organization has added.

How quickly do connector permission changes take effect?

Role changes may take up to 15 minutes to take effect. Members may need to refresh their browser.

Can someone in a custom role with permissions give themselves more access?

Only if their role includes Identity & Access set to Manage, which covers editing roles and groups. Reserve that permission for trusted security and IT administrators, since it can be used to change role definitions including their own.

Can I give admin permissions to a member on the User, Admin, Owner, or Primary Owner role?

No. Admin permissions only apply to members in a custom role. Members on a built-in role keep the access that role grants. To give someone specific admin permissions, change the member to a custom role and add them to a group assigned to a role with the permissions they need. Keep in mind this removes their previous built-in role access.

What does someone see when they don’t have permissions for a certain setting?

Organization settings only shows the sections their permissions cover. Sections they don’t have access to are hidden entirely from their organization settings.

How do I audit who has admin access?

Organization settings > Roles shows the admin permissions each custom role grants, and Organization settings > Groups shows which groups are assigned to each role and who belongs to them. To check a specific member, look up their groups on Organization settings > Members, then the roles those groups are assigned to.

What if someone needs permissions across multiple areas?

Create one role that grants access to multiple areas, or add the member to multiple groups whose roles cover the areas they need. Permissions combine additively.

↑ Back to top

3. Manage Custom Roles on Enterprise Plans

Open source article ↗

Custom roles are available for Enterprise plan organizations. Owners, Primary Owners, and custom roles with the Identity & Access permission set to "Can manage" can go to Organization settings > Roles to manage custom roles.

What are custom roles?

Custom roles let you define which features your members can access. Each custom role contains a set of permissions that grant or restrict access to specific capabilities like chat, Claude Cowork, Claude Code, and web search, plus the connectors your organization has added, such as Slack or Google Drive. Custom roles can also grant admin permissions, which give members access to specific administrative areas like billing, identity, or privacy without making them Owners.

Custom roles work alongside groups. The typical workflow is: create custom roles, assign them to groups, and then set members' roles to “Custom” so their access is governed entirely by the custom roles assigned to their groups.

Note: Custom roles only affect members whose role is set to “Custom.” Members with the User, Admin, or Owner roles get their permissions from those roles directly, not from custom roles.


How feature access works

Feature access is determined by a four-level precedence chain, where the most restrictive level wins:

  1. Platform-level overrides: Some features may be force-enabled or force-disabled for your organization by Anthropic as part of your contract. These can't be changed in organization settings.

  2. Organization-level setting: An Owner or Primary Owner can toggle a feature on or off for the entire organization. If a feature is disabled at the organization level, no custom role can grant access to it.

  3. Custom role permissions: If the feature is enabled at the organization level, the member's custom roles determine whether they can access it. If any of the member's custom roles grant the feature, they have it.

  4. User-level setting: If the feature is granted at the role level, it's available unless the member has disabled it in their own settings.

The key takeaway: the organization-level toggle is a main switch. Custom roles are the per-member switches underneath it. A feature must be enabled at the organization level before custom roles can control who gets access.

Note: This precedence chain applies to capabilities. Admin permissions aren't gated by an organization-level toggle or a member's own settings. If a member's custom role grants an admin permission, they have that access.


Available capabilities

Each custom role can grant or restrict access to the following capabilities:

Capability

Description

Chat

Access to chat on web, desktop, and mobile apps.

Code execution and file creation

Ability to run code and create files in conversations.

Memory

Ability to use memory across conversations.

Web search

Ability to use web search in conversations.

Public projects

Ability to share projects with everyone in your organization.

Create skills

Ability to create or upload custom skills.

Share skills with org members

Ability to share skills with specific people in your organization.

Share skills with the full organization

Ability to share skills with everyone in your organization at once.

Claude Code

Access to Claude Code.

Fast mode

Access to faster model options for Claude Code.

Claude Code dynamic workflows*

Access to dynamic workflows in Claude Code, which let Claude run large engineering tasks—migrations, audits, codebase-wide bug hunts—from start to finish in a single session. These runs can last for hours and use more tokens than a typical session.

Claude Security

Find and fix security vulnerabilities in your code with Claude.

Claude Code artifacts

Ability to create artifacts in Claude Code, which turn a session's work into a live, shareable page built from the session's context.

Claude Design

Access to Claude Design to generate design artifacts.

Claude Cowork

Access to Claude Cowork.

Claude for Chrome

Access to Claude for Chrome, the browser extension that lets Claude browse and act on web pages on the user's behalf.

*Claude Code dynamic workflows are on for your whole organization by default. Because a single run can last for hours and use more tokens than a typical session, decide which roles should have access. For members on custom roles, this capability follows the additive model like any other—a role must grant it for those members to use it. To restrict a specific group, leave this capability off in their role.

This can be disabled organization-wide via managed-settings.json by adding "disableWorkflows": true to your managed settings.

An owner can turn it off across your entire organization by going to Organization settings > Claude Code and toggling Workflows off.

Custom roles also govern admin permissions, connectors, and model access, which are configured on separate Permissions, Connectors, and Models tabs in the role editor. See Admin permissions, Connector permissions, and Model access below.

Note: Chat is enabled by default for all custom roles, including ones created before this capability was added. If you want to restrict chat for a specific role, toggle it off when editing the role.


Create a custom role

  1. Click “Add role.”

  2. Enter a name for the role (for example, “Developer,” “Standard Access,” or “Restricted”).

  3. Select the groups you want to assign to the role.

  4. Toggle each capability on or off to define what this role grants.

  5. Configure permissions. You can choose No access, Can view, and Can manage for each admin setting.

  6. Configure connectors. You can choose Always allow, Needs approval, or Blocked for all connectors, or customize per connector or connector tool.

  7. Configure models. Select which models this role can use, optionally set a maximum effort level per model, and optionally choose a default model for the role.

  8. Click “Save role.”

Edit a custom role

  1. Click the role you want to edit.

  2. Update the name and groups, or toggle capabilities, permissions, connectors, and models as needed.

  3. Click “Save role” to save your changes.

Role changes may take up to 15 minutes to take effect, and members may need to refresh their browser. All members in groups assigned to this role are affected.

Delete a custom role

Click the menu button on any custom role and select “Delete role.” Deleting a role removes its permissions from all groups it was assigned to. Members in those groups lose the permissions the role granted, unless another role in their chain also grants them.


Assign groups to custom roles

Custom roles are assigned to groups, not directly to individual members. To assign a group to a role:

  1. Click the role you want to assign.

  2. In the groups selector, select one or more groups.

  3. Click "Save role."

You can also assign custom roles when creating or editing a group in Organization settings > Groups. See Manage groups and group spend limits on Enterprise plans.


How permissions combine across multiple roles

If a member belongs to multiple groups with different custom roles, their permissions are additive—they get the union of all permissions from all roles in their chain. If any role grants a feature, the member has access to it.

This means you can't use one role to remove a permission granted by another role. This is by design — it enables a layered approach where a base role covers common features and additional roles layer on specific capabilities and admin permissions.

Example: A member is in two groups. The "All Users" group is assigned a "Standard Access" role with web search and memory. The "Engineering" group is assigned a "Developer" role with Cowork and Claude Code. The member gets all four: web search, memory, Cowork, and Claude Code.


See a member or group's effective role

When a member belongs to several groups whose roles grant different capabilities, it can be hard to tell what they can actually do. The "View effective role" option shows the combined result: every capability, admin permission, and connector the member has, with the role that grants each one.

  1. Find the member or group and open the "⋮" menu on the right side of their row.

  2. Select "View effective role."

The modal lists the member's assigned roles and three tabs:

  • Capabilities: each capability with a "Granted by [role name]" label showing which role turned it on.

  • Permissions: each admin permission area with its effective level (No access, Can view, or Can manage) and which role grants it.

  • Connectors: each connector's effective permission level and which role grants it.

This view is read-only. To change what a member can do, edit the roles assigned to their groups.

Note: "View effective role" appears only for members whose role is set to "Custom" and who have at least one custom role assigned through a group. Members with a built-in role (User, Admin, Owner, or Primary Owner) get their permissions from that role directly, so there's nothing to compute.


Admin permissions

Custom roles can grant admin permissions in addition to capabilities and connector permissions. Admin permissions give members access to specific administrative areas, like billing or privacy, without making them Owners. You can configure admin permissions in the Permissions tab of the role editor.

Note: Admin permissions only apply to members whose role is set to "Custom." Members with the User, Admin, Owner, or Primary Owner roles keep the access those roles grant.

Admin permission levels

On the Permissions tab, you set each permission area to one of three levels:

  • No access: The member doesn't see this area in their organization settings.

  • Can view: View grants read-only access. The member sees the same pages and settings as someone who can manage that area, but every control is disabled or shown as read-only. Use this permission level for compliance reviewers, finance auditors, security teams, or anyone who needs to see the configuration without changing it.

  • Can manage: Manage grants full read and write access to the area and includes view access.

Within an area, you grant all of View or all of Manage. You can't grant or restrict individual pages or settings.

Available admin permissions

There are seven admin permission areas:

Area

View

Manage

Identity & Access

SSO and SAML configuration, verified domains, domain memberships, IP allowlist, session settings, group definitions, role definitions, and provisioning settings

Edit SSO, manage domains, edit the IP allowlist, edit session settings, create and edit groups and roles, and configure provisioning

Billing

Plan details, seat counts, invoices, billing addresses, and usage spend

Change seats, update payment methods, edit billing addresses, and configure spend limits and extra usage

Analytics

Usage analytics, Claude Code analytics, and feature adoption metrics

Not available

Privacy

Data retention settings, export configuration, sharing settings, geolocation settings, US-only inference setting, and encryption-key status

Edit retention periods, run data exports, change sharing settings, and configure geolocation, US-only inference, and encryption

User Management

Not available

Invite members, change member roles, remove members, and manage pending invitations

Libraries

Not available

Add, edit, and remove organization-shared skills, plugins, and connectors. Also includes directory management.

Directory management

Not available

Submit and manage directory listings, and view observability for listings your organization has published

Note: A role with Identity & Access set to "Can manage" can create and edit groups and roles, including its own role definition. Members with this permission can expand their own access, so reserve it for trusted security and IT administrators.

Available organization settings pages for each permission

Organization settings page

Required permission

Notes

Billing

Billing (View or Manage)

Plan, seats, addresses, and invoices

Usage

Billing (View or Manage)

Spend limits, credits, and extra usage

Members

User Management (Manage)

No view-only mode

Groups

Identity & Access (View or Manage)

Roles

Identity & Access (View or Manage)

Models

Identity & Access (View or Manage)

Default model and model access

Organization and access (partial)

Identity & Access (View or Manage)

Unlocks single sign-on (SSO/SAML, group mappings, provisioning), verified domains and domain memberships, IP allowlist, session settings, restrict organization creation, and organization merger requests. Other sections on this page, like the organization name, default capability settings, and the organization-wide system prompt, still require the Owner role

Data and privacy

Privacy (View or Manage)

Analytics

Analytics (View)

Reached through Analytics in the user menu, not organization settings

Skills

Libraries (Manage)

Plugins

Libraries (Manage)

Connectors

Libraries (Manage)

Directory

Directory management (Manage)

What admin permissions don't cover

The following remain available only to Owners and Primary Owners, even for members with admin permissions:

  • Managing Owners and Admins. Admin permissions can't grant or revoke the Owner, Admin, or Primary Owner built-in roles. Only Owners can manage other Owners.

  • API keys and workspaces. API key management, workspace settings, and Claude Console administration aren't covered by admin permissions.

  • Compliance and security keys. Compliance API settings and security-key administration remain Owner-only.

  • Organization-level capability settings. Which capabilities are enabled at the organization level is governed separately and isn't part of admin permissions.

What members see when admin permissions are restricted

If a member doesn’t have access to a specific admin permission, the section doesn't appear in their organization settings. Only sections their permissions cover are shown.


Connector permissions

Custom roles also control which connectors, and which tools on those connectors, a role can use. Where capabilities cover Claude’s built-in features, connector permissions cover the apps and services you’ve connected to your organization, such as Slack, Google Drive, or Jira. You set them on the Connectors tab of the role editor, next to the Capabilities and Permissions tabs.

Note: Connector permissions apply only to members whose role is set to “Custom.” Members with the User, Admin, or Owner roles see every connector enabled for your organization, subject to your organization-wide tool policies per connector. Owners and Admins always see every connector so they can configure it, regardless of any role’s connector permissions.

Permission levels

On the Connectors tab, you set all connectors, each connector, or each tool on a connector, to one of three levels:

  • Always allow: Every tool on the connector is available, and members can set their own approval to “Always allow” to skip the per-call confirmation.

  • Needs approval: Every tool is available, but members confirm each call. The “Always allow” option is removed from their personal approval menu for these tools.

  • Blocked: The connector or tool is hidden. Claude can’t see it or call it.

A connector can also be set to Custom, which lets you set each of its tools individually. For the full setup, see Set up role-based permissions on Enterprise plans.

How connector access is determined

A connector or tool passes through several layers before a member can use it, evaluated in this order:

  1. Role grant. Each connector or tool on a role is set to “Always allow,” “Needs approval,” or “Blocked.”

  2. Across the member’s roles. If a member’s groups give them more than one role, the most permissive grant for each tool applies. Connector permissions are additive across roles, the same as capabilities.

  3. Organization-wide tool policy. The per-tool policy you set under Organization settings > Connectors per connector is the ceiling. For each tool, Claude compares the member’s role grant to this policy and applies the stricter of the two. Role grants narrow access within the policy; they can’t widen past it. Learn more about setting tool access in Use connectors to extend Claude’s capabilities.

  4. The member’s own setting. The result of the steps above is the member’s effective ceiling. It limits the options in their personal per-tool approval menu (“Always allow,” “Ask,” or “Never”). A ceiling of “Needs approval” removes “Always allow.” A ceiling of “Blocked” grays the tool out.

For members using Claude Code, one more layer applies: Managed Settings policies and connector permissions compose by most-restrictive. A tool is callable without a prompt only when both allow it. For more information, see Claude Code settings.

This table shows how the organization-wide tool policy and a member’s role grant combine:

Organization-wide tool policy

Highest role grant across the member’s roles

Effective ceiling

Member’s personal options

Always allow

Always allow

Always allow

Always allow, Ask, Never

Always allow

Needs approval

Needs approval

Ask, Never

Always allow

Blocked

Blocked

Tool grayed out

Needs approval

Always allow

Needs approval

Ask, Never

Needs approval

Blocked

Blocked

Tool grayed out

Blocked

Any

Blocked

Tool grayed out

Where connector permissions apply

Connector permissions are enforced on Anthropic’s servers, so they apply across every Claude surface that routes connector traffic through Anthropic:

Surface

Coverage

Claude on web and desktop

Full enforcement. Blocked connectors are hidden, blocked tools are grayed out, and the personal approval menu is limited to what the ceiling allows.

Claude Mobile (iOS and Android)

Enforced. Blocked tools are stripped from Claude’s view and calls to them are rejected. A blocked tool may still look active in mobile connector settings until interface updates ship, but it can’t be used.

Claude Cowork (cloud and desktop)

Same as web.

Claude Code

Enforced. Blocked tools are rejected and appear as disabled. See Claude Code settings.

Connector permissions govern connectors your organization has added under Organization settings > Connectors. They don’t govern connectors a member runs locally on their own machine, and they don’t govern Claude Cowork when it’s deployed on a third-party platform. For third-party Cowork deployments, use MDM instead. See Cowork on 3P: MCP, plugins, skills, and hooks.

What members see when a connector is restricted

Restriction

What the member sees

A connector is blocked for their role

The connector doesn’t appear in their connector menu.

A tool is blocked on a visible connector

The tool is grayed out in their connector settings, with the message “This tool is not enabled for your role. Contact your administrator.”

A tool is capped at “Needs approval”

The tool works, but the personal approval menu offers only “Ask” and “Never,” and Claude asks before each call.

Connector permissions can’t load briefly

A banner reports that connectors couldn’t load, with a retry. No blocked tool ever reaches the connected service. Access fails toward denying, never toward granting.

Members can’t tell which layer restricted a tool. The message is the same whether the limit comes from the organization-wide tool policy, a role grant, or both. To find the source, compare the organization-wide policy with the member’s role grants.


Model access

Custom roles also control which Claude models a role can use and the maximum effort level members can select on each one. You set these on the Models tab of the role editor, alongside the role's default model.

The organization-level model setting is the ceiling. A role can't grant a model that's disabled at the organization level. Across a member's roles, model access is additive and effort limits take the highest cap any role allows. Haiku models are always available and can't be disabled.

For setup steps and what members see, see Manage model access for your organization. For default model behavior, see Set a default model for your organization.


What members see when capability access is restricted

When a capability is restricted, here’s what members see. For connector and tool restrictions, see Connector permissions above.

Reason

What the member sees

Feature is disabled at the organization level

The feature appears greyed out or hidden, with the message "This feature is disabled for your organization."

Member's roles don't grant the feature

The feature appears greyed out or hidden, with the message "Contact your admin to request access to this feature."

Member's roles don't grant any product access

The member lands on their settings page when they sign in, with no products available to use.

↑ Back to top

4. Set Up JIT or SCIM Provisioning

Open source article ↗

This guide covers how to configure user provisioning and role assignment for your Claude or Claude Console organization.

JIT provisioning is available for Team plans, Enterprise plans, and Console organizations. SCIM provisioning is available for Enterprise and Console organizations only.

Before you begin: This guide assumes you have already completed the steps in Set up single sign-on (SSO), including domain verification and SSO configuration with your Identity Provider (IdP), and you have an Admin (Console) or Owner (Claude) role.


Step 1: Choose your provisioning mode

Once SSO is configured, you need to decide how users will be provisioned to your organization. This is controlled via the User provisioning section in Organization settings > Organization and access.

Provisioning options

Invite only is the default. Users are added and removed directly in Claude or Console settings.

Just-in-time (JIT): Users assigned to your Anthropic IdP app are automatically provisioned when they first log in. This option is available to all plans.

SCIM directory sync: Users are automatically provisioned and deprovisioned based on assignments in your IdP, without requiring them to log in first. SCIM is available for Enterprise plans and Console organizations with their own parent organization or joined to an Enterprise parent organization. SCIM is not available for Team plans or Console organizations joined to a Team plan's parent organization.

Provisioning behavior overview

Use this table to help decide which provisioning mode is right for your organization:

Mode

Provisioning

Role and seat type changes

Removal

Invite only

Users are manually added

Roles and seat types are manually changed

Users are manually removed

Just-in-time (JIT)

Users assigned to your IdP app are provisioned at login with the User role

Roles and seat types are manually changed

Manual removal required: users removed from your IdP app can no longer log in, but remain in the user list until they attempt to log in or are removed

JIT + group mappings

Users in at least one mapped group are provisioned at login with the highest-permissioned role from their group memberships

Roles and seat types update on next login based on group membership

Users without group access can't log in but remain in the list until login attempt or manual removal

SCIM directory sync

Users assigned to your IdP app are automatically provisioned to all organizations joined to your parent org.

Roles and seat types are manually changed

Users removed from your IdP app are automatically removed

SCIM + group mappings

Users in at least one mapped group are automatically provisioned, with appropriate role, to just the org(s) joined to the parent org where that group is added.

Role and seat types changes automatically propagate based on group membership

Automatic removal when group access is revoked

Both JIT and SCIM can be combined with Enable group mappings to control role or seat tier assignment based on IdP group membership. If you select either of these options for your provisioning mode, Enable group mappings will appear within the User provisioning section:

Available roles and seat tiers

Product

Roles

Seat types

Team plan

Owner, Admin, User

Premium, Standard

Seat-based Enterprise plan

Owner, Admin, User, Custom

Premium, Standard

Usage-based Enterprise plan (with two seat types)

Owner, Admin, User, Custom

Chat, Chat + Claude Code

Usage-based Enterprise plan (single seat type)

Owner, Admin, User, Custom

Enterprise

Console

Admin, Developer, Limited Developer, Billing, Claude Code User, User

For information on purchasing seats or adjusting your plan's seat allocation, see our guides for Team plans and Enterprise plans.


Step 2: Set up SCIM directory sync (if using SCIM)

Note: Skip this step if you're using Invite only or JIT provisioning.

If you chose SCIM as your provisioning mode, you need to establish the connection between your Identity Provider and Anthropic before enabling it.

  1. Navigate to your Organization and access settings in Claude (claude.ai/admin-settings/organization) or your Identity and access settings in Console (platform.claude.com/settings/identity)

  2. In the User provisioning section, click “Setup SCIM” (or “Manage SCIM”)next to SCIM directory sync.

  3. Follow the WorkOS setup guide to configure SCIM in your Identity Provider. You'll need to copy values from WorkOS into your IdP's Anthropic application.

‼️ When you reach the IdP Group step, pause to review Steps 3 and 4 of this guide, alongside the other guides.

For IdP-specific JIT / SCIM setup instructions, see:

Once your IdP is connected, continue to Step 3.


Step 3: Configure provisioning mode and enable group mappings

  1. Find the User provisioning section of your settings.

  2. Select your chosen option:

    1. Invite only: New members can only join if manually invited by an existing member. SSO access alone won't add them to your org.

    2. Just-in-time (JIT): Allow people with SSO access to join when they first log in. Each new member uses one of your available seats.

    3. SCIM directory sync: Add or remove members automatically as your directory changes. Your org always stays current.

  3. If you selected “Just-in-time (JIT)” or “SCIM directory sync,” do NOT click “Save changes” immediately. You must first ensure all users are assigned to your Anthropic application in your IdP.

  4. Once you’ve confirmed all users are assigned in your IdP you can either:

    1. Click “Save changes” to complete the set up and trigger the initial provisioning, or

    2. Toggle on Enable group mappings and move to Step 4.

Important: Saving before users are properly assigned will result in those users being deprovisioned from the organization. Where it's available, the admin console shows a preview of what the sync will change, including how many members will be removed, before it applies. Review it before you confirm, and cancel if the removal count is higher than you expect. Learn more about how SCIM sync works.


Step 4: Configure groups in your Identity Provider and map groups to roles and seat types

  1. Create groups in your IdP for each role you want to assign. Unless you're on the single-seat Enterprise plan, create groups for each seat type as well.

    1. While there are no longer naming requirements for these groups, we recommend including something in the group name (e.g., anthropic-claude- or anthropic-console-) to make them easier to identify.

  2. Add users to the groups you created, ensuring at least one user (including yourself) is in a group that will be mapped to an Admin (Console) or Owner (Claude) role.

  3. Return to your Organization and access or Identity and access settings in Claude or Console, and find User provisioning.

  4. Toggle Enable group mappings on (if it’s not already):

  5. In the Enable group mappings section, click “Add” next to each role and select the corresponding group from your IdP in the dropdown.

    1. When using group mappings, you must assign all users to a role-based group in order to ensure they’re provisioned an account. Assigning users to seat-tier based groups is optional.

    2. You can map an IdP group to the “Custom” role. Members assigned this role have no default permissions—their access is determined entirely by the custom roles assigned to their groups in Claude.

  6. For all plans except single-seat Enterprise: In the Assign seat tiers to IdP groups section (optional), click "Add" next to each seat type and select the corresponding group from your IdP. If a user isn't assigned to a seat type group, they will be assigned to the highest available type by default.

    1. For single-seat Enterprise: Seat type mapping does not apply. All provisioned users are automatically assigned an Enterprise seat, provided one is available in your organization.

  7. Verify all necessary groups are mapped to the appropriate roles and seat types.

  8. Click “Save changes.”

    1. Note: Microsoft Entra only pushes SCIM changes every 40 minutes, so there may be a delay before changes appear. You can check which users are synced from your IdP by clicking "Manage SCIM" and viewing the Directory. Those users in the Directory will be provisioned to Claude / Console.

Important: All users who need access must be assigned to the appropriate groups before you save your group mappings configuration. These users should already be assigned to your Anthropic application in your IdP from when you enabled SSO.

How the Primary Owner role works with SCIM

  • Your organization's Primary Owner is exempt from SCIM reconciliation. If the Primary Owner account is not present in the IdP directory, or is not a member of any group mapped to a role, it will be skipped when SCIM syncs. The Primary Owner's membership and role are preserved.

  • This exemption applies only to the single Primary Owner role. Owner and Admin roles are not exempt and must be in a group mapped to a role, or they will be removed when SCIM group mappings are enabled.

  • The Primary Owner role cannot be assigned via SCIM group mappings. It can only be transferred manually from Organization settings > Members. Set your intended Primary Owner before enabling SCIM.

  • The Primary Owner is not exempt from SSO sign-in enforcement. SSO enforcement is applied by email domain; if the Primary Owner's email is on an enforced domain, they must authenticate through SSO.


Troubleshooting

Users assigned correctly and showing in the directory but aren’t being added to the Claude as members?

Verify you have enough seats purchased and available to add members to your org.

  1. Check the number of available seats shown in Organization settings > Organization and access and purchase additional seats if needed (see our guides for Team plans and Enterprise plans).

  2. Once you have available seats, go back to the Organization and access page and click “Sync now,” next to Directory sync (SCIM). This will trigger a sync to provision accounts for those users not yet added as members.

Users aren't being provisioned with the correct role

  1. Verify the user is assigned to the correct group in your IdP.

  2. Verify the group is mapped to the correct role in your Organization and access settings.

  3. For JIT: The user needs to log out and log back in for role changes to take effect.

  4. For SCIM: Click "Sync" to prompt an immediate sync, or wait for the automatic sync cycle:

I lost Admin/Owner access after enabling group mappings

This happens when the person configuring group mappings isn't assigned to a group mapped to an Admin or Owner role, causing their permissions to be downgraded to User.

To fix this:

Option 1: Have another Admin/Owner reinstate your role

  1. Contact another Admin or Owner of your organization.

  2. Ask them to navigate to Organization settings > Organization (for Claude) or Settings > Members (for Console).

  3. Have them change your role back to Admin or Owner.

Option 2: Fix via your Identity Provider

  1. In your IdP, assign yourself to a group with the correct prefix that maps to an Admin or Owner role.

  2. For JIT: Log out and log back in to regain access.

  3. For SCIM: Ask another Admin or Owner to click "Sync" in the Organization and access settings, or wait for the automatic sync cycle.

↑ Back to top

5. Set Up Single Sign-On (SSO)

Open source article ↗

Single sign-on is available for Team plans, Enterprise plans, and Console organizations.

This guide covers the steps to configure SSO for Team and Enterprise plans, and Claude Console organizations.

Step 1: Review prerequisites and important considerations

Before proceeding with SSO setup, complete the following:

Review the considerations guide: Read Important considerations before enabling single sign-on (SSO) and JIT/SCIM provisioning to understand parent organizations, determine your setup path, and complete any prerequisite steps such as merging organizations.

Confirm you have the required role:

  • For Team or Enterprise plans: You must be an Owner or Primary Owner

  • For Claude Console: You must be an Admin

Confirm you have access to the following:

  • DNS settings for your company's email address domain

  • Your company's SSO Identity Provider (IdP) used to log in to third-party applications (e.g., Okta, Google Workspace, etc.)

Please contact your organization's IT Administrator if you do not have permissions to manage Claude or company DNS settings.

Note: WorkOS is Anthropic's provider for domain verification and SSO setup. More details can be found in Anthropic's Subprocessor List. You will be taken through a WorkOS setup flow when configuring SSO and provisioning features—find your Identity Provider in their Integration documentation.


Step 2: Verify your domain(s)

Domain verification proves that you own your company's domain. Once verified, you can configure SSO for accounts with your company's domain.

You can verify multiple domains for a single organization, but all domains must be managed through a single IdP. We don't support verifying domains from separate IdPs within the same organization.

Note: Verifying your domain by itself will not impact existing users' ability to access our products. End users’ access is only affected once SSO is set up and explicitly enforced.

  1. Navigate to your Organization and access settings in Claude (claude.ai/admin-settings/organization) or your Identity and access settings in Console (platform.claude.com/settings/identity) – note this page will only appear on Console if you've worked with Sales to enable SSO or completed a merge proposal.

  2. In the Domains section, click “Add or edit domains.”

  3. Enter the domain(s) you want to verify in the Update organization email domains modal and click the “+” button:

  4. Click “Save” when you’re finished adding domains.

  5. The domain(s) you added will now appear in the Domains section; click “Verify” to the right of the domain(s) to begin the verification process.

  6. Enter your domain in the text box and click “Continue”:

  7. The setup screen displays a TXT record. Copy the full Value using the copy button—it begins with anthropic-domain-verification- and is longer than what's visible in the box. In your DNS provider, add a TXT record with Host/Name set to @ (the root of your domain) and Value set to the copied string. Add it alongside any existing TXT records; don't replace them. The value is case-sensitive, so paste it exactly.

    1. Important: Save the TXT value before leaving the setup screen. Once the domain shows as Pending, the admin console doesn't display the value again. If you lose it, you'll need to remove and re-add the domain, which generates a new value.

  8. Wait 10 minutes for your DNS change to propagate.

    • Note: DNS changes can take 24-48 hours to propagate globally.

  9. When you see the green "Verified" badge, you can close the instructions page.

  10. If your domain shows as "Pending," use the "Refresh" button.

If your domain stays Pending

Clicking "Refresh" re-checks your DNS; it won't show Verified until the published TXT record exactly matches the expected value. If it stays Pending after DNS has propagated, check the following:

  • The record exists at the root. Look up your domain's TXT records with a tool such as DNSChecker and confirm a record beginning with anthropic-domain-verification- appears for yourdomain.com (not www.yourdomain.com or another subdomain). If it doesn't appear, the record may have been added at the wrong host or hasn't propagated yet.

  • The value matches exactly. The check is case-sensitive and requires the full string including the anthropic-domain-verification-…= prefix. A single character difference will keep it Pending.

  • You haven't removed and re-added the domain. Each re-add generates a new verification value. If you re-added the domain after publishing the TXT record, the published value no longer matches—you'll need to update the DNS record with the new value.

If the record is correct and propagated but the status still shows Pending, contact Support.

Note: Once your domain is verified, you'll see a Restrict organization creation toggle under Security on the Organization and access organization settings page. Enable this if you want to prevent users from creating new Claude or Console organizations—including personal accounts—using your verified domains.


Step 3: Set up SSO with your Identity Provider

  1. Navigate to your Organization and access settings in Claude (claude.ai/admin-settings/organization) or your Identity and access settings in Console (platform.claude.com/settings/identity).

  2. In the Authentication section, click “Setup SSO” (or “Manage SSO”).

  3. Follow the setup guide provided for your Identity Provider (see below for additional guides).

  4. At the end of these steps, you’ll be prompted to Test Single Sign-on to confirm there are no errors and the configuration is successful.

  5. Once complete, navigate back to the Organization and access settings page for further configuration options.

Important: SSO enforcement might result in users being unable to log in if they are not correctly assigned to the Anthropic app in the IdP. If you have more than one Claude/Console org connected to your “parent org,” you will want to consider creating a unique IdP Group for each. For more information, see enable group mappings.

For IdP-specific setup instructions, see:


Step 4: Choose to require SSO

You can now choose to toggle on Require SSO for Console and/or Require SSO for Claude, on the Organization and access page, under the Authentication section:

When SSO is required, users must use the “Continue with SSO” option to log in to their Claude/Console accounts. When SSO is not required, they will have the option to choose “Continue with SSO” or “Continue with email.”


Step 5: Choose your provisioning approach

Once SSO is enabled, you need to decide how users will be added to your organization by choosing an option within the User provisioning section of your Organization and access settings.

Invite only is the default. Users are added and removed directly in your Claude or Console settings. Please see Manage members on Team and Enterprise plans.

Just-in-Time (JIT) provisioning can be enabled to automatically provision users when they first log in. By default, users assigned to your Anthropic IdP app first login, they will receive the User role. This is the simplest automated option and requires no additional configuration beyond selecting "Just-in-Time (JIT)" as your provisioning mode.

Enable group mappings - when to configure additional provisioning features

For more control over provisioning, see Set up JIT or SCIM provisioning. You'll want to review this guide if you need to:

  • Automatically assign roles or seat tiers based on IdP group membership.

  • Use SCIM directory sync for automatic provisioning and deprovisioning.

  • Manage access across multiple organizations (e.g., if you have both a Team/Enterprise organization and a Console organization linked to the same parent and need to control which users are provisioned to each).

Note: We don't currently support IdP-initiated login for Claude Console organizations that share SSO settings with a Team or Enterprise plan organization. Users will be redirected to claude.ai with IdP-initiated login. As a workaround, if possible in your IdP, create a bookmark called "Claude Console" that links to platform.claude.com/login?sso=true to redirect users to Console for SP-initiated login.


Updating your SSO certificate

When your Identity Provider's X.509 signing certificate expires or is rotated, you'll need to update it in Claude or Console to maintain SSO functionality.

  1. Navigate to your settings:

  2. In the Authentication section, click “Manage SSO.”

  3. Find the Metadata configuration section and click “Edit.”

  4. Update your certificate information and save your changes.

  5. Click "Test sign-in" on the same page to confirm everything is working.


Turning off SSO

You can toggle Require SSO for Claude or Require SSO for Console off at any time. This will make SSO optional for all users.

To fully disconnect SSO, click “Manage SSO” then “Reset connection.” This will end all users’ sessions and require them to sign back in via email login link.

↑ Back to top

6. Manage Members on Team and Enterprise Plans

Open source article ↗

This guide covers how to add, remove, and manage the people on your Team or Enterprise plan.

Permissions note: Organization Admins can manage members in Organization settings > Members, but only Owners and Primary Owners can access Organization settings > Billing. For more information, see our article about roles and permissions.

For information on purchasing seats or adjusting your plan's seat allocation, see our guides for Team plans and Enterprise plans.


Add members

Add members by invitation

Note: Pending invitations occupy your available seats immediately; a new member does not need to accept the invite to take up a seat.

Admins and above can add members by following these steps:

  1. Navigate to Organization settings > Members and click “Add member.”

  2. Enter the person's email address (it must use one of your organization's allowed email domains).

  3. Select the appropriate seat type.

  4. Set the role and permissions for the member.

    1. Note: On Enterprise plans, you can also select “Custom” as a member’s role. Members set to this role have their access controlled through group memberships and custom roles. To see exactly what a custom role member can access, open the “” menu on the right side of their row and select "View effective role." For details, see Manage custom roles on Enterprise plans.

  5. Click “Add members.”

This sends an email invitation to the person. The invitation expires after 21 days, so you'll need to re-invite them if they don't accept within that time period.

Add multiple members at once: You can invite multiple members by clicking "Bulk add" and typing or pasting email addresses separated by commas or new lines.

Note: The seat type selector only shows seat types your plan already owns. If all seats of the selected type are assigned, you'll be prompted to purchase one. See our guides for Team plans and Enterprise plans for more information.

Add members via organization discovery

Members can also join your organization on their own through organization discovery. When you enable discoverability, colleagues with a matching email domain can find your organization during signup and request to join—no invitation needed. You can configure whether they're added automatically or require your approval. See Find and join a Team or Enterprise organization for details.

Share an invite link

Admins and above can generate a shareable invite link and distribute it to teammates—for example, by posting it in a Slack channel, email thread, or team wiki—without needing to enter individual email addresses.

Availability:

  • Team plans: Invite links are enabled by default for new organizations.

  • Enterprise plans (non-SSO): Invite links are disabled by default. Admins can enable them in Organization settings > Organization and access.

  • SSO organizations: Invite links are not available. Member provisioning is managed through your Identity Provider.

To find and copy your invite link, navigate to Organization settings > Organization and access. New members who join via link are assigned to the lowest available seat tier, defaulting to a standard seat if none are available.

Admins can disable the link at any time—this immediately invalidates all existing links. Regenerating the link also invalidates the previous one.

For more details on how the joining flow works, see Join an organization via invite link.

Automated provisioning with SSO

Organizations with single sign-on (SSO) configured can automate member provisioning. Learn more about setting up SSO.

  • Just-in-time (JIT) provisioning: Members assigned to the Anthropic app in your Identity Provider will have accounts created automatically the first time they log in. On plans with multiple seat types, users are assigned to the highest-available seat type upon first login. On single-seat Enterprise plans, users are automatically assigned the Enterprise seat. Admins and above can manually reassign seat types afterward in Organization settings > Organization and access.

  • SCIM provisioning (Enterprise plan only): With SCIM directory sync enabled, members assigned to the Anthropic app in your Identity Provider are provisioned automatically, up to the number of total seats on your plan. On plans with multiple seat types, seat types are distributed from highest to lowest available. On single-seat Enterprise plans, all users are automatically assigned the Enterprise seat. Primary Owners and Owners can reassign seat types afterward in Organization settings > Organization and access.

Important: An Owner or Primary Owner must ensure seats are available before new users can be provisioned. We recommend monitoring your seat usage and adding seats proactively to ensure uninterrupted access for your team. You can enable group mappings with JIT or SCIM to provision users directly to a specific role and seat tier.


Member-to-member invites

Organization members can invite teammates by email, even if they aren't admins. This makes it easier for your team to grow organically without requiring admin involvement for every new member.

How it works

Any member can access the invite flow from the account selector in Claude. They enter a teammate's email address and submit the invite. What happens next depends on your organization's new member approval setting:

  • Approve one-by-one (default): The invite request goes to an admin for review. The invite is only sent to the teammate after an admin approves it.

  • Approve automatically: The invite is sent right away and the invitee can join immediately.

Invites sent by members follow the same domain restrictions as other join methods — the invitee's email must match one of your organization's allowed domains.

Availability

  • Team plans: Member-to-member invites are enabled by default for new organizations.

  • Enterprise plans: Member-to-member invites are disabled by default. Admins can enable them from Admin settings.

Admin controls

Admins can enable or disable member-to-member invites from the admin settings. When disabled, only admins can send invitations. Invitees added through member invites are assigned the default member role and placed in the lowest available seat tier.


Remove members

You can remove a member by navigating to Organization settings > Members, clicking the menu button to the right of the member, then selecting "Remove from team."

For Enterprise organizations using SCIM provisioning, members are automatically removed from Claude when they are removed from your Identity Provider.

When a member is removed:

  • They lose access to the organization immediately.

  • The seat they occupied becomes available to assign to another user.

  • If you re-add the member later using the same email address, their account history will be maintained.

Removing a member frees up their seat for reassignment, but does not automatically reduce your plan's total seat count. See our guides for Team plans and Enterprise plans for information on reducing seats.

Note: You cannot remove yourself as a Primary Owner or Owner. Another Primary Owner or Owner must remove you from the team.


Export member data

Admins and above can export a CSV of your organization's current member list from your organization settings.

The export includes member details such as name, email address, role, and seat type. This is useful for auditing membership, reconciling seat usage, or maintaining an external record of your team.

To export:

  1. Click the "Export CSV" button at the top of the Members section.

  2. A CSV file will download to your device.


Manage invitations

Resend an expired invitation

You can resend an invite from Organization settings > Members. Click the “Pending” tab, find the member, and select to resend the invite.

Revoke a pending invitation

You can revoke a pending invite from Organization settings > Members. Click the “Pending” tab, find the member, and select "Remove from team."


Frequently asked questions

Can I invite someone who already uses Claude personally with their work email?

Yes. Once they join your team, they'll have both a personal account and a Team or Enterprise plan account. They can toggle between accounts through the menu by clicking their initials or name in the lower left corner.

How do I add a member that I previously removed?

To add a member that you previously removed, follow the same steps as adding a new member. Their account history will be maintained.

How do I change the Primary Owner?

The current Primary Owner can transfer ownership by:

  1. Click the Role dropdown next to the new user and select "Primary Owner."

  2. Type the new Primary Owner's email address in the modal to confirm and transfer ownership.

Important: There can only be one Primary Owner per organization. Following these steps transfers the role to a different user.

What happens to the initial invitation for a new Enterprise organization?

When Anthropic provides a new Enterprise organization and invites the Primary Owner, the same 21-day expiration period applies to that initial invitation. If your invitation has expired, please reach out to your account manager.

↑ Back to top

7. FAQ: Users & Security

Q. Can our organization's admin read individual employees' chat conversations?

No, not casually. Chats are private by default and admins cannot browse them through the console. The only path to conversation content is a formal data export, which only the Primary Owner can request (Organization settings > Data and Privacy). Audit logs record that a chat was created, renamed, or deleted, but exclude its title and content — only an internal ID is logged.

Sources: Who owns and manages the data of my team? · Access audit logs

Q. Does Anthropic train its models on our conversations?

No, not by default. For commercial products — Claude for Work (Team/Enterprise) and the API — Anthropic does not use inputs or outputs to train models. Training only happens if a user explicitly opts in, e.g. by submitting thumbs up/down feedback, and admins can disable that feedback mechanism org-wide under Organization settings > Data and Privacy > Rate chats.

Source: Is my data used for model training? (Anthropic Privacy Center)

Q. How long is our data retained, and can we shorten that?

By default, data is retained indefinitely. Enterprise admins (Owner or Primary Owner) can configure a custom retention period as short as 30 days under Organization settings > Data and Privacy. Once data passes its retention window it is permanently deleted at midnight UTC and cannot be recovered.

Source: Configure custom data retention controls for Enterprise plans

Q. Who legally owns our organization's data?

The organization is the data controller; Anthropic acts only as a data processor under a direct commercial agreement (not the consumer Terms of Service). The Primary Owner administers the account, can request data exports, and can revoke any member's access at any time.

Source: Who owns and manages the data of my team?

Q. What do audit logs capture, and who can see them?

Enterprise-only. Audit logs record sign-ins/outs, member invites/removals, project and chat lifecycle events (create/rename/delete), file uploads, SSO configuration changes, and data exports — each tagged with timestamp, actor, IP address, device, and platform. Only Owners and Primary Owners can export logs, covering the trailing 180 days, delivered as a 24-hour download link. Chat and project content is never included.

Source: Access audit logs

Q. Can we see how our team uses Claude without reading their chats?

Yes. Usage analytics (active members, sessions, feature adoption across Chat/Claude Code/Cowork, token consumption, estimated spend) are visible to Owners and Primary Owners on both Team and Enterprise plans, and to Admins on Enterprise (except Spend). This is purely usage metrics — it never exposes conversation content.

Source: View usage analytics for Team and Enterprise plans

Q. What compliance certifications does Anthropic hold?

SOC 2 Type I & Type II, ISO 27001:2022 (information security management), and ISO/IEC 42001:2023 (AI management systems). Enterprise also supports a signable Business Associate Agreement (BAA) for HIPAA-ready configurations. Documentation can be requested via Anthropic's Trust Portal.

Source: What certifications has Anthropic obtained? · trust.anthropic.com

Q. Can we use our own encryption keys instead of Anthropic's?

Yes, eligible Enterprise organizations can provision customer-managed encryption keys (CMEK) in their own cloud provider's key management system, and Anthropic uses that key to protect the org's chats, projects, and files. Trade-off: with CMEK enabled you lose chat search over past conversations and can't use the one-click "Export logs" button (Compliance API is used instead).

Source: What are customer-managed encryption keys (CMEK)?

Q. How do we control sign-in, and can accounts be removed automatically when someone leaves?

Enterprise supports SAML/OIDC single sign-on through your identity provider (Okta, Microsoft Entra ID, Google Workspace, etc.), plus SCIM directory sync for fully automatic provisioning and deprovisioning — accounts are added and removed the moment your IdP directory changes, with no manual step. See sections 4 and 5 above for the full setup flow.

Source: Set up JIT or SCIM provisioning

↑ Back to top