gh-rafaelcalleja-claude-mar…/skills/claude-code/references/enterprise-features.md

# Enterprise Features

Enterprise deployment, security, compliance, and monitoring for Claude Code.

## Identity & Access Management

### SSO Integration

Support for SAML 2.0 and OAuth 2.0:

```json
{
  "auth": {
    "type": "saml",
    "provider": "okta",
    "entityId": "claude-code",
    "ssoUrl": "https://company.okta.com/app/saml",
    "certificate": "/path/to/cert.pem"
  }
}
```

**Supported providers:**
- Okta
- Azure AD
- Google Workspace
- OneLogin
- Auth0

### Role-Based Access Control (RBAC)

Define user roles and permissions:

```json
{
  "rbac": {
    "roles": {
      "developer": {
        "permissions": ["code:read", "code:write", "tools:use"]
      },
      "reviewer": {
        "permissions": ["code:read", "code:review"]
      },
      "admin": {
        "permissions": ["*"]
      }
    }
  }
}
```

### User Management

Centralized user provisioning:

```bash
# Add user
claude admin user add user@company.com --role developer

# Remove user
claude admin user remove user@company.com

# List users
claude admin user list

# Update user role
claude admin user update user@company.com --role admin
```

## Security & Compliance

### Sandboxing

Filesystem and network isolation:

```json
{
  "sandboxing": {
    "enabled": true,
    "mode": "strict",
    "filesystem": {
      "allowedPaths": ["/workspace"],
      "readOnlyPaths": ["/usr/lib", "/etc"],
      "deniedPaths": ["/etc/passwd", "/etc/shadow"]
    },
    "network": {
      "enabled": false,
      "allowedDomains": ["api.anthropic.com"]
    }
  }
}
```

### Audit Logging

Comprehensive activity logs:

```json
{
  "auditLog": {
    "enabled": true,
    "destination": "syslog",
    "syslogHost": "logs.company.com:514",
    "includeToolCalls": true,
    "includePrompts": false,
    "retention": "90d"
  }
}
```

**Log format:**
```json
{
  "timestamp": "2025-11-06T10:30:00Z",
  "user": "user@company.com",
  "action": "tool_call",
  "tool": "bash",
  "args": {"command": "git status"},
  "result": "success"
}
```

### Data Residency

Region-specific deployment:

```json
{
  "region": "us-east-1",
  "dataResidency": {
    "enabled": true,
    "allowedRegions": ["us-east-1", "us-west-2"]
  }
}
```

### Compliance Certifications

- **SOC 2 Type II**: Security controls
- **HIPAA**: Healthcare data protection
- **GDPR**: EU data protection
- **ISO 27001**: Information security

## Deployment Options

### Amazon Bedrock

Deploy via AWS Bedrock:

```json
{
  "provider": "bedrock",
  "region": "us-east-1",
  "model": "anthropic.claude-sonnet-4-5",
  "credentials": {
    "accessKeyId": "${AWS_ACCESS_KEY_ID}",
    "secretAccessKey": "${AWS_SECRET_ACCESS_KEY}"
  }
}
```

### Google Vertex AI

Deploy via GCP Vertex AI:

```json
{
  "provider": "vertex",
  "project": "company-project",
  "location": "us-central1",
  "model": "claude-sonnet-4-5",
  "credentials": "/path/to/service-account.json"
}
```

### Self-Hosted

On-premises deployment:

**Docker:**
```bash
docker run -d \
  -v /workspace:/workspace \
  -e ANTHROPIC_API_KEY=$API_KEY \
  anthropic/claude-code:latest
```

**Kubernetes:**
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: claude-code
spec:
  replicas: 3
  template:
    spec:
      containers:
      - name: claude-code
        image: anthropic/claude-code:latest
        env:
        - name: ANTHROPIC_API_KEY
          valueFrom:
            secretKeyRef:
              name: claude-secrets
              key: api-key
```

### LLM Gateway

Integration with LiteLLM:

```json
{
  "gateway": {
    "enabled": true,
    "url": "http://litellm-proxy:4000",
    "apiKey": "${GATEWAY_API_KEY}"
  }
}
```

## Monitoring & Analytics

### OpenTelemetry

Built-in telemetry support:

```json
{
  "telemetry": {
    "enabled": true,
    "exporter": "otlp",
    "endpoint": "http://otel-collector:4317",
    "metrics": true,
    "traces": true,
    "logs": true
  }
}
```

### Usage Analytics

Track team productivity metrics:

```bash
# Get usage report
claude analytics usage --start 2025-11-01 --end 2025-11-06

# Get cost report
claude analytics cost --group-by user

# Export metrics
claude analytics export --format csv > metrics.csv
```

**Metrics tracked:**
- Requests per user/project
- Token usage
- Tool invocations
- Session duration
- Error rates
- Cost per user/project

### Custom Dashboards

Build org-specific dashboards:

```python
from claude_code import Analytics

analytics = Analytics(api_key=API_KEY)

# Get metrics
metrics = analytics.get_metrics(
    start="2025-11-01",
    end="2025-11-06",
    group_by="user"
)

# Create visualization
dashboard = analytics.create_dashboard(
    metrics=metrics,
    charts=["usage", "cost", "errors"]
)
```

### Cost Management

Monitor and control API costs:

```json
{
  "costControl": {
    "enabled": true,
    "budgets": {
      "monthly": 10000,
      "perUser": 500
    },
    "alerts": {
      "threshold": 0.8,
      "recipients": ["admin@company.com"]
    }
  }
}
```

## Network Configuration

### Proxy Support

HTTP/HTTPS proxy configuration:

```bash
export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1,company.internal
```

### Custom CA

Trust custom certificate authorities:

```bash
export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/company-ca.crt
```

### Mutual TLS (mTLS)

Client certificate authentication:

```json
{
  "mtls": {
    "enabled": true,
    "clientCert": "/path/to/client-cert.pem",
    "clientKey": "/path/to/client-key.pem",
    "caCert": "/path/to/ca-cert.pem"
  }
}
```

### IP Allowlisting

Restrict access by IP:

```json
{
  "ipAllowlist": {
    "enabled": true,
    "addresses": [
      "10.0.0.0/8",
      "192.168.1.0/24",
      "203.0.113.42"
    ]
  }
}
```

## Data Governance

### Data Retention

Configure data retention policies:

```json
{
  "dataRetention": {
    "conversations": "30d",
    "logs": "90d",
    "metrics": "1y",
    "backups": "7d"
  }
}
```

### Data Encryption

Encryption at rest and in transit:

```json
{
  "encryption": {
    "atRest": {
      "enabled": true,
      "algorithm": "AES-256-GCM",
      "keyManagement": "aws-kms"
    },
    "inTransit": {
      "tlsVersion": "1.3",
      "cipherSuites": ["TLS_AES_256_GCM_SHA384"]
    }
  }
}
```

### PII Protection

Detect and redact PII:

```json
{
  "piiProtection": {
    "enabled": true,
    "detectPatterns": ["email", "ssn", "credit_card"],
    "action": "redact",
    "auditLog": true
  }
}
```

## High Availability

### Load Balancing

Distribute requests across instances:

```yaml
# HAProxy configuration
frontend claude_front
  bind *:443 ssl crt /etc/ssl/certs/claude.pem
  default_backend claude_back

backend claude_back
  balance roundrobin
  server claude1 10.0.1.10:8080 check
  server claude2 10.0.1.11:8080 check
  server claude3 10.0.1.12:8080 check
```

### Failover

Automatic failover configuration:

```json
{
  "highAvailability": {
    "enabled": true,
    "primaryRegion": "us-east-1",
    "failoverRegions": ["us-west-2", "eu-west-1"],
    "healthCheck": {
      "interval": "30s",
      "timeout": "5s"
    }
  }
}
```

### Backup & Recovery

Automated backup strategies:

```bash
# Configure backups
claude admin backup configure \
  --schedule "0 2 * * *" \
  --retention 30d \
  --destination s3://backups/claude-code

# Manual backup
claude admin backup create

# Restore from backup
claude admin backup restore backup-20251106
```

## See Also

- Network configuration: https://docs.claude.com/claude-code/network-config
- Security best practices: `references/best-practices.md`
- Monitoring setup: https://docs.claude.com/claude-code/monitoring
- Compliance: https://docs.claude.com/claude-code/legal-and-compliance