- 05
- June
When an organization rolls out Claude AI to many people, IT asks: "How do we manage users, who can be admin, and how do we safely remove someone who leaves?" This article summarizes user management in Claude Team and Enterprise — roles, invite/remove, and the key difference: Team manages users manually, while Enterprise adds SCIM auto-provisioning tied to your Identity Provider, plus groups and role-based permissions.
In short
- Roles: Primary Owner, Owner, Admin, Member
- Team: self-managed admin console — invite/remove by email (members can invite each other)
- Enterprise: + SSO + SCIM auto-provision/deprovision from your IdP + groups + custom roles + granular permissions
- Offboarding: on Enterprise, removing from the IdP revokes Claude access immediately; the seat returns to the pool
Roles in Claude — who can do what
Claude separates user permissions into clear levels. Understand roles first to configure correctly under least-privilege.
| Role | Can do |
|---|---|
| Primary Owner | Top owner, highest rights (exempt from SCIM reconciliation) |
| Owner | Manage billing, seats, org settings |
| Admin | Manage members and settings (within scope) |
| Member | Use Claude normally + invite teammates by email |
Team vs Enterprise — how user management differs
This is the difference IT should know before choosing a plan — Team suits hands-on management, Enterprise suits organizations that must tie into a central identity system.
| Capability | Team | Enterprise |
|---|---|---|
| Admin console | ✓ | ✓ |
| Invite / remove (manual) | ✓ | ✓ |
| SSO (SAML/OIDC) | ✗ | ✓ |
| SCIM auto-provision/deprovision | ✗ | ✓ |
| Groups + custom roles | ✗ | ✓ |
| Granular permission (API/models/token) | ✗ | ✓ |
See the plan-choice overview in Team vs Enterprise — which to choose.
How SCIM works — and why it matters for offboarding
SCIM (System for Cross-domain Identity Management) is the standard that lets Claude sync user lists with your Identity Provider (e.g. Entra ID, Okta) automatically — Enterprise only.
- Auto-provision — add a person in the IdP and assign the Claude app → they get a seat automatically (up to your plan's seat count).
- Auto-deprovision — remove them from the IdP → Claude access is revoked immediately; the seat returns to the pool.
- Primary Owner is exempt — not removed by SCIM reconciliation (prevents lockout).
- JIT provisioning — can be configured to create the account on first login.
Why SCIM offboarding matters: when an employee leaves, automatically revoking Claude the moment they're removed from the IdP reduces data-leak risk and makes audits easier — aligning with your data governance.
User-management best practice
- Least privilege — grant the lowest role that works; don't hand out Admin unnecessarily.
- Use groups (Enterprise) — group by department/role, then set permissions once.
- Tie offboarding to HR/IdP — let SCIM revoke access automatically when people leave.
- Set per-user spend limits (especially Claude Code users) to prevent token runaway — see Premium Seat.
- Review members periodically — find unused seats to downgrade or remove.
Summary
| If your organization... | Suits |
|---|---|
| Small team, can manage members by hand | Team |
| Must tie into a central IdP + auto offboarding + audit | Enterprise (SCIM) |
Good user management isn't just "adding people quickly" — it's "revoking access instantly and being able to audit it." For growing organizations with frequent turnover, SCIM and role-based permissions are what keep AI within a real governance boundary.
- An admin-first view of running AI in the enterprise
References
- Claude Help Center — Manage members on Team and Enterprise plans
- Claude Help Center — How SCIM sync works
- Claude Help Center — Role-based permissions on Enterprise
Need to connect Claude to your SSO/SCIM?
Grand Linux procures Claude Enterprise and helps wire up SSO/SCIM with your Identity Provider (optional paid service).
Get advice / request a quoteTel 02-347-7730 | sale@grandlinux.com
