Anthropic Enterprise RBAC Management Guide

v20260423

anth-enterprise-rbac

A comprehensive guide for configuring and managing organization-level access control within the Anthropic ecosystem. It details Workspaces setup (Production, Staging, Development), defines roles (Owner, Admin, Developer), and provides best practices for API key management. Includes practical Python code examples for implementing application-level Role-Based Access Control (RBAC) to restrict model access and usage limits.

Anthropic RBAC Access Control Workspaces API Keys Claude Enterprise Python

Get Skill

96 downloads

Overview

Anthropic Enterprise RBAC

Overview

Anthropic provides organization-level access control through Workspaces, API key scoping, and member roles via the Console at console.anthropic.com.

Organization Structure

Organization (billing entity)
├── Workspace: Production
│   ├── API Key: sk-ant-api03-prod-main-...
│   ├── API Key: sk-ant-api03-prod-batch-...
│   └── Rate limits: Tier 4
├── Workspace: Staging
│   ├── API Key: sk-ant-api03-stg-...
│   └── Rate limits: Tier 2
└── Workspace: Development
    ├── API Key: sk-ant-api03-dev-...
    └── Rate limits: Tier 1

Console Roles

Role	Capabilities
Owner	Full access, billing, member management
Admin	Manage workspaces, API keys, view usage
Developer	Create/revoke own API keys, view own usage
Billing	View invoices and usage reports only

Application-Level RBAC

# Implement your own RBAC on top of Anthropic Workspaces
from enum import Enum
import anthropic

class UserRole(Enum):
    VIEWER = "viewer"       # Can read Claude responses (no direct API)
    USER = "user"           # Can send prompts (rate limited)
    POWER_USER = "power"    # Can use Opus, higher limits
    ADMIN = "admin"         # Can access all models, no limits

ROLE_CONFIG = {
    UserRole.VIEWER: {"allowed": False},
    UserRole.USER: {
        "allowed": True,
        "models": ["claude-haiku-4-20250514"],
        "max_tokens": 512,
        "rpm_limit": 10,
    },
    UserRole.POWER_USER: {
        "allowed": True,
        "models": ["claude-haiku-4-20250514", "claude-sonnet-4-20250514", "claude-opus-4-20250514"],
        "max_tokens": 4096,
        "rpm_limit": 60,
    },
    UserRole.ADMIN: {
        "allowed": True,
        "models": ["claude-haiku-4-20250514", "claude-sonnet-4-20250514", "claude-opus-4-20250514"],
        "max_tokens": 8192,
        "rpm_limit": 200,
    },
}

def create_message(user_role: UserRole, model: str, **kwargs):
    config = ROLE_CONFIG[user_role]
    if not config["allowed"]:
        raise PermissionError("Role does not allow API access")
    if model not in config["models"]:
        raise PermissionError(f"Role cannot access model: {model}")
    kwargs["max_tokens"] = min(kwargs.get("max_tokens", 1024), config["max_tokens"])

    client = anthropic.Anthropic()
    return client.messages.create(model=model, **kwargs)

Key Management Best Practices

Practice	Implementation
One key per service	`prod-auth-service`, `prod-search-service`
Rotate quarterly	Calendar reminder + automated rotation
Least privilege	Dev workspace for dev keys only
Audit trail	Log which key made each request
Revoke immediately	On employee departure or compromise

Error Handling

Issue	Cause	Fix
Key works in dev, fails in prod	Wrong workspace key	Verify key belongs to prod workspace
New team member can't access	Not added to workspace	Invite via Console > Members
Usage not visible	Viewing wrong workspace	Switch workspace in Console

Resources

Next Steps

For major migration strategies, see anth-migration-deep-dive.

Info

Category Development

Name anth-enterprise-rbac

Version v20260423

Size 3.82KB

Source jeremylongshore/claude-code-plugins-plus-skills

Updated At 2026-04-28