Team and Enterprise Permission Management

Enterprise deployments of Claude Code require centralized policy management — settings that override what individual developers can configure, distributed to every machine, with audit trails. Here's how the system works.

Quick Reference

→Managed settings: Anthropic admin console → server-pushed policy that overrides everything
→managed-settings.d/ directory: modular drop-in policy fragments that merge at startup
→forceRemoteSettingsRefresh: blocks startup until fresh policy is fetched (zero-trust compliance)
→MDM distribution: macOS plist or Windows registry for IT-managed machine policy
→Subprocess sandboxing: PID namespace isolation on Linux via CLAUDE_CODE_SUBPROCESS_ENV_SCRUB
→Scoping: managed (highest) > project > user > local
→allowedChannelPlugins: controls which plugins developers can install
→Ship .claude/settings.json in the repo for team-wide onboarding defaults

The Policy Hierarchy

Claude Code has a four-level settings hierarchy. Lower levels can add permissions but cannot override what higher levels restrict. This is the foundational design that makes enterprise policy distribution work.

Level	Source	Can Override?	Use For
Managed (highest)	Anthropic admin console / MDM	Overrides all below	Org-wide policy: deny rules, approved MCP servers, required modes
Project	.claude/settings.json (committed to repo)	Can add, not remove managed rules	Team defaults: workflow allowlists, project-specific denies
User	~/.claude/settings.json	Can add, not remove project/managed rules	Personal preferences: mode defaults, personal tool allowlists
Local (lowest)	.claude/settings.local.json (gitignored)	Can add, not remove anything above	Per-developer overrides not shared with team

Allow Arrays Merge, Deny Arrays Win

Allow rules from all levels are active simultaneously — a user-level allow doesn't cancel a project-level allow. But if a managed-level deny rule exists, no level below it can override it. Deny rules are absolute at the level they're set.

Managed Settings via the Admin Console

Managed settings are pushed from the Anthropic admin console to every machine running Claude Code under your organization. They take the highest priority in the hierarchy — project and user settings cannot override them.

managed-settings.d/ — Modular Policy Fragments

Rather than maintaining a single large managed settings file, Claude Code supports a managed-settings.d/ drop-in directory. Individual JSON policy fragments placed in this directory merge together at startup.

Sign in to read this article

This is a premium article. Sign in with your Google account to continue.