Skip to content

SOP-005: Security & IAM

DOCUMENT CONTROL

FieldValue
SOP IDSOP-005
Version1.0
StatusActive

Purpose

Configure security settings and Identity and Access Management for Claude Code.

Tool Permission System

Permission Levels

LevelBehaviorUse Case
allowAuto-approveSafe read operations
askEveryTimePrompt userWrite/Edit operations
denyAlways blockDangerous commands

Example Configuration

In settings.json:

  • "allow": ["Read", "Glob", "Grep"]
  • "deny": ["Bash(rm -rf:)", "Bash(sudo:)"]
  • "askEveryTime": ["Write", "Edit", "Bash"]

Protected Paths

Default protected locations:

  • ~/.ssh/ - SSH keys
  • ~/.aws/ - AWS credentials
  • ~/.gnupg/ - GPG keys
  • */.env - Environment files
  • **/secrets/ - Project secrets

Command Safety

Block dangerous patterns in deny list:

  • rm -rf operations
  • sudo commands
  • curl piped to bash

Enterprise IAM

For Claude for Enterprise:

  • Centralized permission management
  • Audit logging
  • SSO integration
  • Role-based access control

Best Practices

Security Recommendations

  1. Start restrictive - expand permissions as needed
  2. Review before approving changes
  3. Protect credential files
  4. Enable audit logging
  5. Use project-specific settings

Next Steps

Based on Official Claude Code Documentation