What's new in Claude admin controls: groups, spend limits, and compliance
In brief
Anthropic added a significant set of admin capabilities in April 2026: user groups with custom roles, per-user spend caps, managed Claude Code policies, and a new Compliance API for Enterprise. Here's what each control does and which plan it requires.
Contents
Anthropic shipped a meaningful batch of admin controls in April 2026, alongside the launch of Claude Code on Team and Enterprise plans. If you manage Claude for your organization, several of these change what you can actually do in the admin panel.
This covers what's new, what each control does, and which plan it applies to.
User groups and role-based access
You can now organize users into groups and assign each group a custom role that defines which Claude capabilities they can access.
Groups can be created manually in the admin panel, or synced automatically from your identity provider via SCIM (System for Cross-domain Identity Management). If your company uses Okta, Azure AD, or a similar IdP, SCIM sync means group membership updates automatically when someone joins or leaves a team — you don't manage it manually.
Each group gets a role that controls:
- Which Claude products (Chat, Cowork, Code) the group can use
- Which tools and MCP servers are available
- File access permissions
- Any restrictions specific to the department or role
What this solves: Previously, all users in an org had the same capabilities. If you wanted to give your engineering team access to Claude Code but not expose it to everyone, you had no way to do that. Now you can.
Available on: Team and Enterprise plans.
Per-user spend controls
Admins can now set spending limits at two levels:
- Organization-wide — a monthly ceiling for the whole org
- Per-user — a limit for individual accounts
This matters most for orgs using Claude Code or extra usage beyond the base plan. When a user hits their limit, they can continue with standard usage but the overage stops. Admins set the caps; users see their current usage and remaining budget.
Available on: Team and Enterprise plans.
Managed Claude Code policies
If your org is on Team or Enterprise with Claude Code enabled, admins can now push and enforce Claude Code configurations across all developer accounts.
Manageable settings include:
- Which tools Claude Code is allowed to use
- File access restrictions (which directories or repos Claude Code can touch)
- Which MCP servers are permitted
- Usage policies aligned to your internal security guidelines
This means a developer on your team doesn't have to manually configure these — and can't override them. The settings deploy centrally and apply to the desktop app and terminal sessions.
What this solves: Teams running Claude Code were previously relying on individual developers to configure CLAUDE.md files and personal settings correctly. Managed policies let ops/security teams enforce a consistent baseline without depending on each developer to get it right.
Available on: Team and Enterprise plans.
Claude Code usage analytics
The admin panel now includes Claude Code usage metrics across your org:
- Lines of code accepted
- Suggestion accept rate
- Usage patterns by user and team
- Session volume over time
These integrate with the Analytics API, so you can pull them into your existing dashboards. OpenTelemetry is supported for teams running observability infrastructure.
Available on: Team and Enterprise plans.
Compliance API (Enterprise only)
Enterprise plans now have programmatic access to usage data and customer content via a new Compliance API.
What this enables:
- Real-time access to Claude usage logs and conversation content
- Integration with existing compliance dashboards (Splunk, Datadog, etc.)
- Automated policy enforcement — flag conversations matching criteria, trigger alerts
- Selective deletion — remove specific conversations or user data via API for data retention management
This is primarily for legal, compliance, and security teams who need to monitor AI usage for regulatory or policy reasons, or who need to demonstrate compliance in audits.
Available on: Enterprise plans only.
Self-serve seat management
Team and Enterprise admins can now purchase seats, adjust seat count, and provision users directly from the admin panel — without going through account management. This covers:
- Adding seats as the team grows
- Removing seats when people leave
- Provisioning new users directly
Available on: Team and Enterprise plans.
Summary table
| Control | What it does | Plan |
|---|---|---|
| User groups + SCIM | Organize users into teams; sync from IdP | Team + Enterprise |
| Custom roles | Define which Claude features each group can access | Team + Enterprise |
| Per-user spend caps | Set monthly usage ceilings by user or org | Team + Enterprise |
| Managed Claude Code policies | Push tool/file/MCP settings to all developers | Team + Enterprise |
| Usage analytics | Lines accepted, accept rate, session volume | Team + Enterprise |
| Compliance API | Programmatic access to logs + selective deletion | Enterprise only |
| Self-serve seat management | Buy seats, provision users from admin panel | Team + Enterprise |
What to do right now
If you're an IT admin or org Owner: Check your admin panel at claude.com/settings/organization. The new controls are live — you don't need to request access.
If you use an IdP like Okta or Azure AD: SCIM sync is the highest-leverage thing to set up first. It keeps group membership current automatically and saves ongoing manual work.
If you have Claude Code on your plan: Review the managed policies before rolling them out — the default settings are permissive. Setting tool restrictions and file access limits now is easier than unwinding an incident later.
Related: Getting IT approval for Claude · Ask Your Org guide · Setting up Claude for your team