Stats
Actions
Tags
From anthropic-pack
Guides Anthropic enterprise setup for workspaces, Console roles, API keys, and Python RBAC implementation enforcing model access and rate limits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/anthropic-pack:anth-enterprise-rbacThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Anthropic provides organization-level access control through Workspaces, API key scoping, and member roles via the Console at [console.anthropic.com](https://console.anthropic.com).
Anthropic provides organization-level access control through Workspaces, API key scoping, and member roles via the Console at console.anthropic.com.
Organization (billing entity)
├── Workspace: Production
│ ├── API Key: sk-ant-api03-prod-main-...
│ ├── API Key: sk-ant-api03-prod-batch-...
│ └── Rate limits: Tier 4
├── Workspace: Staging
│ ├── API Key: sk-ant-api03-stg-...
│ └── Rate limits: Tier 2
└── Workspace: Development
├── API Key: sk-ant-api03-dev-...
└── Rate limits: Tier 1
| Role | Capabilities |
|---|---|
| Owner | Full access, billing, member management |
| Admin | Manage workspaces, API keys, view usage |
| Developer | Create/revoke own API keys, view own usage |
| Billing | View invoices and usage reports only |
# Implement your own RBAC on top of Anthropic Workspaces
from enum import Enum
import anthropic
class UserRole(Enum):
VIEWER = "viewer" # Can read Claude responses (no direct API)
USER = "user" # Can send prompts (rate limited)
POWER_USER = "power" # Can use Opus, higher limits
ADMIN = "admin" # Can access all models, no limits
ROLE_CONFIG = {
UserRole.VIEWER: {"allowed": False},
UserRole.USER: {
"allowed": True,
"models": ["claude-haiku-4-20250514"],
"max_tokens": 512,
"rpm_limit": 10,
},
UserRole.POWER_USER: {
"allowed": True,
"models": ["claude-haiku-4-20250514", "claude-sonnet-4-20250514", "claude-opus-4-20250514"],
"max_tokens": 4096,
"rpm_limit": 60,
},
UserRole.ADMIN: {
"allowed": True,
"models": ["claude-haiku-4-20250514", "claude-sonnet-4-20250514", "claude-opus-4-20250514"],
"max_tokens": 8192,
"rpm_limit": 200,
},
}
def create_message(user_role: UserRole, model: str, **kwargs):
config = ROLE_CONFIG[user_role]
if not config["allowed"]:
raise PermissionError("Role does not allow API access")
if model not in config["models"]:
raise PermissionError(f"Role cannot access model: {model}")
kwargs["max_tokens"] = min(kwargs.get("max_tokens", 1024), config["max_tokens"])
client = anthropic.Anthropic()
return client.messages.create(model=model, **kwargs)
| Practice | Implementation |
|---|---|
| One key per service | prod-auth-service, prod-search-service |
| Rotate quarterly | Calendar reminder + automated rotation |
| Least privilege | Dev workspace for dev keys only |
| Audit trail | Log which key made each request |
| Revoke immediately | On employee departure or compromise |
| Issue | Cause | Fix |
|---|---|---|
| Key works in dev, fails in prod | Wrong workspace key | Verify key belongs to prod workspace |
| New team member can't access | Not added to workspace | Invite via Console > Members |
| Usage not visible | Viewing wrong workspace | Switch workspace in Console |
For major migration strategies, see anth-migration-deep-dive.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin anthropic-packConfigures Mistral AI enterprise RBAC via workspaces for team-scoped API keys, model restrictions, rate limits, and budgets. Includes bash API setup and TypeScript app enforcement.
Automates Anthropic Admin operations (API keys, usage, workspaces, org management) via Rube MCP and Composio toolkit. Always discovers current tool schemas before execution.
Implements multi-team API key management, model restrictions, and usage limits for Cohere enterprise API access control.