[FEATURE] Machine-level policy that cannot be overridden by user's organizational server-managed settings — needed for shared/HPC infrastructure

Open 💬 1 comment Opened Jun 23, 2026 by kratsg

Use Case

Shared computing facilities (HPC clusters, university compute platforms, national labs) run Claude Code in a multi-tenant environment where:

  • The facility owns and administers the machines
  • Users bring their own Claude Code licenses, potentially from their own organizations with their own Anthropic enterprise/server-managed settings

The current managed settings precedence (server-managed > file-based) means a user's organizational server-managed policy silently overrides anything the facility deploys in /etc/claude-code/managed-settings.json. The facility has no reliable way to enforce machine-level policy.

Concrete example

A facility wants to prevent Claude Code from autonomously submitting or querying HTCondor batch jobs (condor_*) to avoid runaway workloads. Users should still be able to run condor_q themselves from their terminal — only Claude Code should be restricted. The facility deploys a deny: ["Bash(condor_*)"] rule in managed-settings.json, but it is zeroed out by the user's org's empty or conflicting server-managed policy.

Request

Introduce a host/machine policy tier that sits above server-managed in the precedence chain — or alternatively, allow file-based managed settings to declare themselves non-overridable by user org policies:

{
  "hostPolicyPrecedence": "above-server-managed",
  "permissions": {
    "deny": ["Bash(condor_*)"]
  }
}

Or a merge mode where host deny rules are always unioned with (never replaced by) org server-managed settings:

{ "denyMergeMode": "always-union" }

Why this matters

The current model assumes the machine administrator and the Claude Code organizational administrator are the same entity. For shared infrastructure this is never true. Facilities cannot currently enforce any meaningful policy on Claude Code usage on their own hardware without resorting to OS-level workarounds (process ancestry wrapper scripts, AppArmor profiles, etc.) that are fragile and unrelated to Claude Code.

This is a common pattern in enterprise IT: machine policy (Group Policy, MDM) enforces a floor that individual user/org policies cannot undercut. Claude Code needs an equivalent for shared infrastructure operators.

Related

  • #70181 — empty server-managed settings (304 cached) zero out local managed-settings.json deny/allow rules

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗