[Feature Request] Per-group / per-team scoping for server-managed settings

Resolved 💬 2 comments Opened May 21, 2026 by rodrigo-leal-usercentrics Closed May 25, 2026

Summary

Server-managed settings currently apply uniformly to all users in an organisation. There is no way to scope settings (e.g. environment variables, permissions, hooks) to a specific subset of users such as a team or role group.

Use case

We are distributing shared API tokens to a subset of users (a specific engineering team) via server-managed settings env variables. Because settings are org-wide, we either expose the token to all users — which is broader than needed — or fall back to per-user manual setup, which defeats the purpose of centralised management.

Desired behaviour

The ability to scope server-managed settings to one or more user groups, for example:

  • Tag-based: apply a settings profile to users with a given role or group tag in the admin console
  • Multiple profiles: define N settings profiles, each assigned to a different subset of users
  • Minimum viable version: a simple allow-list of users or email domains per profile

Current workarounds considered

  • Separate Anthropic org/workspace per group — requires a separate contract
  • MDM (Jamf/Intune) — scopes by device, not user; requires IT involvement
  • Per-user ~/.claude/settings.json — not scalable for onboarding

Impact

Without this, centralised token/secret distribution is all-or-nothing at the org level, which conflicts with least-privilege principles for access to shared credentials. This is a blocker for using server-managed settings as the recommended distribution pattern for team-scoped shared tokens.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗