PromptArmor
Blogs

Blog

How Claude Groups and Roles Enable Your Rollout

Use Claude's groups and roles to pilot features with specific teams, scope connectors and tool-approval modes per use case, and plan around the limits that affect a rollout.

Claude organizations have four roles: Owner, Admin, User, and Custom. This guide covers custom roles. Custom roles give each user the exact access their work needs - we recommend that everyone use Custom roles.

Deploying Claude in Your Organization?

What groups and roles solve

  • Partial rollouts. Pilot a feature with one group before turning it on for everyone.
  • Different use cases. Give each team the settings and capabilities its work requires.
  • Partitioned connector access. Control which connectors a role can use, and how each tool is approved before running (always allow or needs approval).

Nuances and limitations

  • A custom role is required. A user's type must be set to a custom role, or the role assigned through their group does nothing.
  • Multiple roles resolve permissively. A user in more than one role gets the most permissive combination, not the most restrictive.
    Note: When a connector is restricted both in the role and in your organization settings, the more restrictive of the two applies.
  • Coverage is incomplete. Not every setting and feature is configurable at the role level.
  • Roles can only narrow the tenant. The tenant has to hold the maximum capability set and each role restricts down from it, so you cannot lock the tenant down and give specific roles extra access on top.

How to configure groups and roles

Step 1: Create a role

Organization Settings > Roles > Custom Roles > Add Role

A role scopes four things: the default model its members use, its capabilities, its admin permissions, and its connector access. Set each one, then save the role.

Role-Level Controls

What a custom role can scope

One role sets a default model plus the controls below.

Each capability is an on/off toggle. Connectors take an approval mode (Deny, Always Allow, or Needs Approval); admin permissions take an access level (No access, Can view, or Can manage).

Follows your organization's setting and stays off for the role until it is enabled at the organization level.

Capabilities not listed here can't yet be configured per role and follow your organization's settings.

Core
  • Chat
  • Code execution & file creation
  • Memory
  • Public projects
  • Web search
Skills
  • Create skills
  • Share with org members
  • Share with full org
Claude Code
  • Claude Code
  • Claude Security
  • Fast mode
  • Workflows
Labs, Cowork & Browser
  • Claude Design
  • Cowork
  • Claude in Chrome
Connectors
  • Deny
  • Always Allow
  • Needs Approval

Set one mode for every connector or tune it connector by connector.

Admin permissions
  • Identity & Access
  • Billing
  • Analytics
  • Privacy
  • User Management
  • Libraries
  • Directory
  • Claude Design Admin

Step 2: Create a group

Organization Settings > Groups > Groups > Add Group

Name the group and add the members who should share this role’s configuration.

Step 3: Assign each member to the custom role

Assigning the role to a group does not apply it on its own. Each member’s user type has to be set to the custom role, or none of the role’s settings take effect.

Organization Settings > Members > Role: Custom
Want all configurations to securely deploy Claude?

PromptArmor Threat Intelligence

Is your organization protected from AI vendor risks?

PromptArmor continuously monitors your vendor portfolio for vulnerabilities and changes like this — surfacing risk before it becomes an incident.

Book a demo