Claude Co-work Permissions and Access Control: Admin Guide

Claude Co-work has sophisticated permission controls. Unlike basic Team plans where everyone is either "member" or "admin," Co-work gives granular access at the workspace and Project level. Here's how to set up permissions properly for security, organization, and effective collaboration. ## Co-work Permission Model Co-work has two permission layers: **Workspace Level:** - Member role (can create Projects, join shared Projects) - Admin role (full workspace management) **Project Level:** - Viewer (read-only access) - Commenter (can view and comment, can't edit) - Editor (full edit access) - Owner (edit plus permission management) This two-tier system lets you control both who's in your workspace and what they can do in specific Projects. ## Workspace Roles ### Member **Can:** - Create personal Projects - Create shared Projects (if allowed by workspace settings) - Access shared Projects they've been added to - Use all Co-work features within their permissions - Invite others to Projects they own **Cannot:** - Add/remove workspace members - Access billing or subscription settings - View all workspace Projects (only ones they're added to) - Change workspace settings - See usage analytics for other members **When to use:** Default role for all regular team members. ### Admin **Can:** - Everything Members can do, plus: - Add/remove workspace members - Manage billing and subscription - View all Projects in workspace (even if not explicitly added) - Access workspace-wide analytics - Configure workspace settings - Assign/revoke admin status - Provision and deprovision accounts **Cannot:** - Edit Projects they're not added to (can view only) - Delete Projects they don't own without owner permission **When to use:** Team leads, managers, and whoever manages the Co-work subscription. ## Project-Level Permissions ### Viewer **Can:** - View all conversation history - See Project knowledge base content - Read comments and discussions - Export conversations (if workspace allows) **Cannot:** - Add new conversations or messages - Edit existing content - Leave comments - Upload files to knowledge base - Change Project settings **Use cases:** - Stakeholder visibility (clients, executives) - Cross-team awareness (other departments seeing progress) - Onboarding (new members learning before contributing) - Auditors or compliance reviewers ### Commenter **Can:** - Everything Viewers can do, plus: - Leave inline comments on conversations - Reply to comment threads - Tag teammates with @mentions - Mark comments as resolved **Cannot:** - Create new conversations with Claude - Edit Project knowledge base - Change conversation history - Modify Project settings **Use cases:** - Reviewers who give feedback but don't edit - Approvers (can comment "approved" without changing content) - Subject matter experts consulted for input - Junior team members learning by observation ### Editor **Can:** - Everything Commenters can do, plus: - Create new conversations with Claude - Edit conversation history - Upload and manage knowledge base files - Use real-time collaboration features - Invite others to Project (as Viewer or Commenter only) **Cannot:** - Delete the Project - Change others' permission levels - Remove the Project Owner - Modify Project-level settings **Use cases:** - Active contributors to Project work - Team members doing hands-on collaboration - Anyone who needs to interact with Claude in the Project ### Owner **Can:** - Everything Editors can do, plus: - Change any member's permissions (including adding Editors) - Delete the Project - Transfer ownership to another member - Configure Project settings - Remove any member from Project **Cannot:** - (Owners have full Project control) **Use cases:** - Project creator (default owner) - Team lead responsible for Project - Only 1-2 people should be Owner per Project ## Common Permission Patterns ### Client Projects **Scenario:** Working with external client, want them to see progress **Setup:** - Internal team members: Editor - Project lead: Owner - Client stakeholders: Viewer - Client points of contact: Commenter (can ask questions, request changes) **Benefits:** - Client sees real-time progress - Can't accidentally modify work - Can provide feedback via comments - Internal team collaborates freely ### Cross-Functional Projects **Scenario:** Product, Design, Engineering collaborating on feature **Setup:** - Product/Design/Engineering contributors: Editor - Product lead: Owner - Executives and stakeholders: Viewer - Legal/compliance reviewers: Commenter **Benefits:** - Core team collaborates actively - Stakeholders stay informed - Reviewers can flag issues without disrupting work ### Knowledge Base Projects **Scenario:** Company documentation, runbooks, SOPs **Setup:** - Documentation owners: Editor - Department lead: Owner - All other team members: Viewer - Designated updaters: Editor (limited to specific people) **Benefits:** - Everyone can access information - Controlled updates prevent knowledge drift - Clear ownership of documentation ### Training Projects **Scenario:** Onboarding new team members **Setup:** - New hires: Viewer (first 2 weeks) - New hires: Commenter (week 3-4, can ask questions) - New hires: Editor (once ramped up) - Trainer/manager: Owner **Benefits:** - New hires learn by observation - Can ask questions via comments - Gradual increase in permissions as they ramp ## Workspace Settings ### Member Provisioning **Options:** - Admin-only invite (admins must manually add each member) - Domain-based auto-join (anyone with @company.com email can join) - Link-based invite (share invite link, anyone with link can join) **Recommendation:** Domain-based for internal teams, admin-only for teams with external collaborators. ### Default Project Permissions **Options:** - Members can create shared Projects (default: Yes) - New Projects default to private or team-visible - Auto-add workspace members to new Projects (default: No) **Recommendation:** Let members create Projects, but start private. Sharing is explicit. ### Export Controls **Options:** - Allow conversation exports (default: Yes) - Require admin approval for exports - Disable exports entirely **Recommendation:** Allow exports for most teams, restrict for sensitive/regulated industries. ### Data Retention **Options:** - Retain all conversation history indefinitely (default) - Auto-delete conversations after N days - Allow members to delete their own conversations **Recommendation:** Retain indefinitely for knowledge work, consider retention policies for compliance needs. ## Access Control Best Practices ### 1. Default to Least Privilege Start restrictive, loosen as needed: - New members: Viewer on shared Projects initially - Promote to Commenter when they need to ask questions - Promote to Editor when they're actively contributing Easier to add permissions than revoke. ### 2. Limit Owners Most Projects should have 1-2 Owners: - Too many Owners = unclear accountability - Owner can delete Project or remove others - Use Editor for most active contributors ### 3. Use Viewer Generously Viewer access costs nothing and increases transparency: - Give related teams Viewer access to Projects - Let stakeholders see progress without participating - Onboard new members as Viewers first ### 4. Separate Workspaces for External Collaboration If you collaborate with many external parties: - Consider separate workspace for client/partner work - Keep internal workspace for employee-only Projects - Prevents accidental exposure of internal Projects ### 5. Regular Access Audits Quarterly review: - Who has access to each Project? - Are permissions still appropriate? - Remove access for departed team members - Revoke unused accounts ## Security Scenarios ### Scenario 1: Employee Departure **Steps:** 1. Admin removes member from workspace 2. All their Project access is automatically revoked 3. Projects they owned transfer to admin or designated owner 4. Their personal Projects are retained or deleted per policy **Timeline:** Should happen same day as departure for security. ### Scenario 2: Contractor Engagement **Setup:** 1. Add contractor as workspace Member 2. Add to specific Projects with Editor access 3. Don't add to internal/sensitive Projects 4. When engagement ends, remove from workspace **Alternative:** Use Viewer/Commenter instead of full Member for short engagements. ### Scenario 3: Sensitive Project **Setup:** 1. Create Project, keep private (don't share widely) 2. Explicitly add only required team members as Editors 3. Add reviewers as Commenters (can't export or screenshot) 4. Disable exports for this Project if extremely sensitive 5. Document who has access and why ### Scenario 4: Cross-Department Visibility **Need:** Marketing wants to see what Product team is building **Setup:** 1. Add Marketing members as Viewers to relevant Product Projects 2. They see progress and context 3. Can't edit or disrupt Product team's work 4. If Marketing needs to collaborate, promote specific people to Commenter ## Admin Dashboard Co-work admins get analytics and controls: **Usage Analytics:** - Active members (who's using Co-work) - Projects created over time - Collaboration metrics (comments, edits) - Most active Projects **Member Management:** - Add/remove workspace members - Change roles (Member ↔ Admin) - View each member's Projects - Suspend accounts if needed **Project Overview:** - All workspace Projects (even ones you're not in) - Owners and member counts - Activity levels - Permission distribution **Billing:** - Current seat count and cost - Usage against limits - Subscription management - Invoice history ## Compliance and Audit ### SOC 2 / ISO 27001 For teams with compliance requirements: **Access logging:** - All permission changes are logged - Who accessed which Projects when - Admin actions tracked **Permission reports:** - Export of all members and roles - Project access matrix - Audit trail of changes **Data controls:** - Export restrictions - Data retention policies - Deletion capabilities ### GDPR Considerations For teams with EU data: **Right to access:** Users can export their data **Right to deletion:** Admins can delete user data and conversations **Data residency:** Check Anthropic's data processing agreement ## Quick Takeaway Claude Co-work has two permission layers: workspace roles (Member/Admin) and Project permissions (Viewer/Commenter/Editor/Owner). Best practice: Default to least privilege, use Viewer generously for transparency, limit Owners to 1-2 per Project, and audit access quarterly. For client work, give clients Viewer access for transparency. For sensitive Projects, explicitly control membership and consider disabling exports. Admins get full visibility and control over workspace, but can't edit Projects they're not added to without explicit access.