Manage custom roles on Enterprise plans (original) (raw)

  1. All Collections
  2. Team and Enterprise plans
  3. Admin management
  4. Manage custom roles on Enterprise plans

What are custom roles?

Custom roles let you define which features your members can access. Each custom role contains a set of permissions that grant or restrict access to specific capabilities like chat, Claude Cowork, Claude Code, and web search, plus the connectors your organization has added, such as Slack or Google Drive. Custom roles can also grant admin permissions, which give members access to specific administrative areas like billing, identity, or privacy without making them Owners.

Custom roles work alongside groups. The typical workflow is: create custom roles, assign them to groups, and then set members' roles to “Custom roles” so their access is governed entirely by the custom roles assigned to their groups.

How feature access works

Feature access is determined by a four-level precedence chain, where the most restrictive level wins:

The key takeaway: the organization-level toggle is a main switch. Custom roles are the per-member switches underneath it. A feature must be enabled at the organization level before custom roles can control who gets access.

Available capabilities

Each custom role can grant or restrict access to the following capabilities:

Custom roles also govern access to admin permissions and connectors, which are configured on separate Permissions and Connectors tabs in the role editor. See Admin permissions and Connector permissions below.

Create a custom role

Edit a custom role

Capability and connector changes take effect within one minute. Admin permission changes can take up to 15 minutes, and members may need to refresh their browser. All members in groups assigned to this role are affected.

Delete a custom role

Click the menu button on any custom role and select “Delete role.” Deleting a role removes its permissions from all groups it was assigned to. Members in those groups lose the permissions the role granted, unless another role in their chain also grants them.

Assign groups to custom roles

Custom roles are assigned to groups, not directly to individual members. To assign a group to a role:

How permissions combine across multiple roles

If a member belongs to multiple groups with different custom roles, their permissions are additive—they get the union of all permissions from all roles in their chain. If any role grants a feature, the member has access to it.

This means you can't use one role to remove a permission granted by another role. This is by design — it enables a layered approach where a base role covers common features and additional roles layer on specific capabilities and admin permissions.

Example: A member is in two groups. The "All Users" group is assigned a "Standard Access" role with web search and memory. The "Engineering" group is assigned a "Developer" role with Cowork and Claude Code. The member gets all four: web search, memory, Cowork, and Claude Code.

Admin permissions

Custom roles can grant admin permissions in addition to capabilities and connector permissions. Admin permissions give members access to specific administrative areas, like billing or privacy, without making them Owners. You can configure admin permissions in the Permissions tab of the role editor.

Admin permission levels

On the Permissions tab, you set each permission area to one of three levels:

Within an area, you grant all of View or all of Manage. You can't grant or restrict individual pages or settings.

Available admin permissions

There are seven admin permission areas:

Available organization settings pages for each permission

What admin permissions don't cover

The following remain available only to Owners and Primary Owners, even for members with admin permissions:

What members see when admin permissions are restricted

If a member doesn’t have access to a specific admin permission, the section doesn't appear in their organization settings. Only sections their permissions cover are shown.

Connector permissions

Custom roles also control which connectors, and which tools on those connectors, a role can use. Where capabilities cover Claude’s built-in features, connector permissions cover the apps and services you’ve connected to your organization, such as Slack, Google Drive, or Jira. You set them on the Connectors tab of the role editor, next to the Capabilities and Permissions tabs.

Permission levels

On the Connectors tab, you set all connectors, each connector, or each tool on a connector, to one of three levels:

How connector access is determined

A connector or tool passes through several layers before a member can use it, evaluated in this order:

For members using Claude Code, one more layer applies: Managed Settings policies and connector permissions compose by most-restrictive. A tool is callable without a prompt only when both allow it. For more information, see Claude Code settings.

This table shows how the organization-wide tool policy and a member’s role grant combine:

Where connector permissions apply

Connector permissions are enforced on Anthropic’s servers, so they apply across every Claude surface that routes connector traffic through Anthropic:

Connector permissions govern connectors your organization has added under Organization settings > Connectors. They don’t govern connectors a member runs locally on their own machine, and they don’t govern Claude Cowork when it’s deployed on a third-party platform. For third-party Cowork deployments, use MDM instead. See Cowork on 3P: MCP, plugins, skills, and hooks.

What members see when a connector is restricted

Members can’t tell which layer restricted a tool. The message is the same whether the limit comes from the organization-wide tool policy, a role grant, or both. To find the source, compare the organization-wide policy with the member’s role grants.

What members see when capability access is restricted

When a capability is restricted, here’s what members see. For connector and tool restrictions, see Connector permissions above.

Related Articles

Get started with custom connectors using remote MCPUse connectors to extend Claude's capabilitiesSet up the Microsoft 365 connectorUse Claude Cowork on Team and Enterprise plansSet up role-based permissions on Enterprise plans