[Feature Request] Per-group / per-team scoping for server-managed settings
Summary
Server-managed settings currently apply uniformly to all users in an organisation. There is no way to scope settings (e.g. environment variables, permissions, hooks) to a specific subset of users such as a team or role group.
Use case
We are distributing shared API tokens to a subset of users (a specific engineering team) via server-managed settings env variables. Because settings are org-wide, we either expose the token to all users — which is broader than needed — or fall back to per-user manual setup, which defeats the purpose of centralised management.
Desired behaviour
The ability to scope server-managed settings to one or more user groups, for example:
- Tag-based: apply a settings profile to users with a given role or group tag in the admin console
- Multiple profiles: define N settings profiles, each assigned to a different subset of users
- Minimum viable version: a simple allow-list of users or email domains per profile
Current workarounds considered
- Separate Anthropic org/workspace per group — requires a separate contract
- MDM (Jamf/Intune) — scopes by device, not user; requires IT involvement
- Per-user
~/.claude/settings.json— not scalable for onboarding
Impact
Without this, centralised token/secret distribution is all-or-nothing at the org level, which conflicts with least-privilege principles for access to shared credentials. This is a blocker for using server-managed settings as the recommended distribution pattern for team-scoped shared tokens.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗