SOP-005: Security & IAM
DOCUMENT CONTROL
| Field | Value |
|---|---|
| SOP ID | SOP-005 |
| Version | 1.0 |
| Status | Active |
Purpose
Configure security settings and Identity and Access Management for Claude Code.
Tool Permission System
Permission Levels
| Level | Behavior | Use Case |
|---|---|---|
| allow | Auto-approve | Safe read operations |
| askEveryTime | Prompt user | Write/Edit operations |
| deny | Always block | Dangerous commands |
Example Configuration
In settings.json:
- "allow": ["Read", "Glob", "Grep"]
- "deny": ["Bash(rm -rf:)", "Bash(sudo:)"]
- "askEveryTime": ["Write", "Edit", "Bash"]
Protected Paths
Default protected locations:
- ~/.ssh/ - SSH keys
- ~/.aws/ - AWS credentials
- ~/.gnupg/ - GPG keys
- */.env - Environment files
- **/secrets/ - Project secrets
Command Safety
Block dangerous patterns in deny list:
- rm -rf operations
- sudo commands
- curl piped to bash
Enterprise IAM
For Claude for Enterprise:
- Centralized permission management
- Audit logging
- SSO integration
- Role-based access control
Best Practices
Security Recommendations
- Start restrictive - expand permissions as needed
- Review before approving changes
- Protect credential files
- Enable audit logging
- Use project-specific settings