Simon Carter
Security & Governance

Anthropic adds granular admin permissions to Claude Enterprise custom roles

Claude Enterprise plans can now grant members access to specific admin areas like billing or privacy without making them full Owners.

security governance category

If you’ve ever wanted to give your finance team visibility into Claude usage costs without handing them the keys to the entire organisation, Anthropic has quietly solved that problem for Enterprise customers.

The custom roles framework on Claude Enterprise plans now includes admin permissions, letting you assign members access to specific administrative areas — billing, privacy, analytics, identity and access, user management, or libraries — without elevating them to full Owner status.

What’s actually changed

Claude Enterprise has had custom roles for a while. These let you control which features and connectors different groups of members can access. Until now, though, admin access was essentially binary: either you had it (Owner) or you didn’t.

The new Permissions tab in the role editor adds a dedicated section for administrative access. For each of the six admin areas, you can choose from three settings:

  • No access — the member doesn’t see that section at all
  • Can view — read-only access; controls are visible but disabled
  • Can manage — full administrative access to that area

This gives you a much more precise dial than “Owner or not Owner”.

The six admin areas

The admin permission areas map fairly cleanly to the kinds of responsibilities that typically live in different parts of an organisation:

  • Identity & Access — SSO, SCIM, authentication settings
  • Billing — subscription, invoices, spend data
  • Analytics — usage reporting across the organisation
  • Privacy — data handling and retention settings
  • User Management — adding, removing, and managing members
  • Libraries — shared prompt and resource libraries

You can mix and match these across different custom roles. A “Finance” role might get Billing set to Can manage, with everything else at No access. A “Security” role might get Identity & Access at Can view, so the team can audit settings without being able to change them. A compliance auditor gets Privacy at Can view. None of them need to become Owners to do their jobs.

How it fits into the broader custom roles system

It’s worth understanding where admin permissions sit in the permission stack, because the model is additive and layered.

Anthropic can set platform-level overrides at contract level that can’t be changed by anyone in your organisation. Below that, Owners can toggle features on or off for the whole organisation. Below that, custom roles govern what individual members can actually access.

Critically, custom roles only apply to members whose role is set to “Custom roles”. Members with the standard User, Admin, or Owner roles continue to get their access from those roles directly. Custom roles aren’t a modifier on top of existing roles — they replace the standard role assignment entirely for the members they apply to.

The access model is additive: if a member belongs to multiple groups and any one of those groups’ roles grants a feature or permission, the member has it.

Groups themselves can be created manually in the admin panel or synced automatically from your identity provider via SCIM, which means access can track your existing directory structure without manual upkeep.

What this means for your organisation

The practical effect is that you can now delegate administrative responsibility more accurately.

Before this change, if someone needed to manage billing or run usage reports, you were looking at giving them the full Owner role — which also gives them access to everything else. That’s a broader grant than most organisations are comfortable with, and it creates unnecessary exposure.

Now you can be specific. A few realistic examples:

  • Your finance team gets Billing access to review invoices and monitor spend, without any ability to touch user settings or chat capabilities
  • Your IT or security team gets Identity & Access at Can view to audit SSO and SCIM configuration without being able to change it
  • Your legal or compliance team gets Privacy and Analytics at Can view so they can produce reports and check data handling without administrative change rights
  • Your HR or IT helpdesk gets User Management to handle onboarding and offboarding without broader admin access

Changes take effect as soon as group membership is updated, so there’s no lag between a role assignment and the access it grants.

A note on setup

To configure admin permissions on a custom role, you’ll need to be an Owner or Primary Owner yourself, or hold a custom role with Identity & Access set to Manage. The role editor is in the admin console under Roles, and the Permissions tab sits between the Capabilities and Connectors tabs.

If you don’t configure admin permissions on a role, members with that role simply have no admin access — administration stays with your Owners and Primary Owners by default. Nothing breaks; you’re just not using the new capability.

This is part of a broader set of Enterprise admin controls that Anthropic has been building out, alongside things like per-user spend caps, managed Claude Code policies, and a Compliance API for programmatic access to usage data. The direction is clearly toward giving Enterprise customers the governance tooling they need to deploy Claude broadly without losing control of who can do what.

If your organisation has been holding back on broadening Claude access because you weren’t comfortable with the permission boundaries available, this is worth a look.