Anthropic企业级RBAC与权限管理

v20260423

anth-enterprise-rbac

本指南详细介绍了如何在Anthropic生态系统中配置和管理组织级的访问控制。内容涵盖工作区（Workspaces）的划分、管理员角色定义、API密钥的最佳管理实践，并提供了实用的Python代码示例，指导用户如何实现应用层面的RBAC，从而限制模型访问和调用额度。

Anthropic RBAC 访问控制工作区 API密钥 Claude 企业级 Python

获取技能

96 次下载

概览

Anthropic Enterprise RBAC

Overview

Anthropic provides organization-level access control through Workspaces, API key scoping, and member roles via the Console at console.anthropic.com.

Organization Structure

Organization (billing entity)
├── Workspace: Production
│   ├── API Key: sk-ant-api03-prod-main-...
│   ├── API Key: sk-ant-api03-prod-batch-...
│   └── Rate limits: Tier 4
├── Workspace: Staging
│   ├── API Key: sk-ant-api03-stg-...
│   └── Rate limits: Tier 2
└── Workspace: Development
    ├── API Key: sk-ant-api03-dev-...
    └── Rate limits: Tier 1

Console Roles

Role	Capabilities
Owner	Full access, billing, member management
Admin	Manage workspaces, API keys, view usage
Developer	Create/revoke own API keys, view own usage
Billing	View invoices and usage reports only

Application-Level RBAC

# Implement your own RBAC on top of Anthropic Workspaces
from enum import Enum
import anthropic

class UserRole(Enum):
    VIEWER = "viewer"       # Can read Claude responses (no direct API)
    USER = "user"           # Can send prompts (rate limited)
    POWER_USER = "power"    # Can use Opus, higher limits
    ADMIN = "admin"         # Can access all models, no limits

ROLE_CONFIG = {
    UserRole.VIEWER: {"allowed": False},
    UserRole.USER: {
        "allowed": True,
        "models": ["claude-haiku-4-20250514"],
        "max_tokens": 512,
        "rpm_limit": 10,
    },
    UserRole.POWER_USER: {
        "allowed": True,
        "models": ["claude-haiku-4-20250514", "claude-sonnet-4-20250514", "claude-opus-4-20250514"],
        "max_tokens": 4096,
        "rpm_limit": 60,
    },
    UserRole.ADMIN: {
        "allowed": True,
        "models": ["claude-haiku-4-20250514", "claude-sonnet-4-20250514", "claude-opus-4-20250514"],
        "max_tokens": 8192,
        "rpm_limit": 200,
    },
}

def create_message(user_role: UserRole, model: str, **kwargs):
    config = ROLE_CONFIG[user_role]
    if not config["allowed"]:
        raise PermissionError("Role does not allow API access")
    if model not in config["models"]:
        raise PermissionError(f"Role cannot access model: {model}")
    kwargs["max_tokens"] = min(kwargs.get("max_tokens", 1024), config["max_tokens"])

    client = anthropic.Anthropic()
    return client.messages.create(model=model, **kwargs)

Key Management Best Practices

Practice	Implementation
One key per service	`prod-auth-service`, `prod-search-service`
Rotate quarterly	Calendar reminder + automated rotation
Least privilege	Dev workspace for dev keys only
Audit trail	Log which key made each request
Revoke immediately	On employee departure or compromise

Error Handling

Issue	Cause	Fix
Key works in dev, fails in prod	Wrong workspace key	Verify key belongs to prod workspace
New team member can't access	Not added to workspace	Invite via Console > Members
Usage not visible	Viewing wrong workspace	Switch workspace in Console

Resources

Next Steps

For major migration strategies, see anth-migration-deep-dive.

信息

Category 编程开发

Name anth-enterprise-rbac

版本 v20260423

大小 3.82KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28