CPN Learning Path CPN Connect On Demand Library All Courses Home

Security and Governance

Before anyone logs in, the governance layer needs to be set. This course covers managed-settings.json, the permission system, sandboxed execution, SSO and SCIM configuration, data retention controls, and how compliance requirements like SOC 2 and HIPAA map to the Claude platform.

rate limit

Code not recognized.

About this course

This course builds the client security onboarding you run in the pre-kickoff window. It follows a realistic client context, a financial services firm with specific compliance requirements, through each layer of Claude Code's governance model.

You'll start with managed-settings.json, the policy file that sits above every other settings layer. Deployed by IT via MDM, Group Policy, or the admin console, it cannot be overridden by any user or project setting. The course covers:

  • Which controls to set before anyone logs in, authentication method, MCP allowlist, org-wide CLAUDE.md instructions
  • The three delivery mechanisms (server-managed, MDM, file-based) and which fits different client IT environments
  • How to write org-level CLAUDE.md instructions that enforce policy without over-restricting and degrading Claude's output quality

The course then covers the rest of the governance stack:

  • The permission system: how Claude Code categorizes operations into allow, ask, and deny, and where an admin draws those lines for a regulated environment
  • Sandboxed bash execution and filesystem scoping, including how to answer the 'is Claude Code sandboxed?' question accurately (the answer depends on configuration and whether dev containers are in use)
  • SSO via SAML 2.0 or OIDC, SCIM provisioning, and IP allowlisting
  • Data retention controls: the difference between the no-training opt-out, custom retention, and Zero Data Retention, three separate mechanisms that answer three different questions from a security team
  • SOC 2 Type II, HIPAA, and where client-side controls layer in alongside Anthropic's own compliance posture

The practice exercise: complete a security onboarding questionnaire for the sample client persona. If you have admin access to a Claude Enterprise tenant, walk through the managed-settings and SSO/SCIM configuration there. The completed questionnaire is your course artifact.

Time In Skilljar (Measured) 1 Hour 8 MinutesPractice & Artifact Building (Estimated Time In Skilljar) 40 Min

Curriculum

  • Managed-settings.json: forced login, allow and deny MCP, hooks restrictions
  • Permission system and operation gating
  • Sandboxed bash execution and filesystem scoping
  • SSO (SAML, OIDC), SCIM, and IP allowlisting
  • ZDR, custom retention, data usage policy
  • SOC 2 Type II, HIPAA, and client controls

About this course

This course builds the client security onboarding you run in the pre-kickoff window. It follows a realistic client context, a financial services firm with specific compliance requirements, through each layer of Claude Code's governance model.

You'll start with managed-settings.json, the policy file that sits above every other settings layer. Deployed by IT via MDM, Group Policy, or the admin console, it cannot be overridden by any user or project setting. The course covers:

  • Which controls to set before anyone logs in, authentication method, MCP allowlist, org-wide CLAUDE.md instructions
  • The three delivery mechanisms (server-managed, MDM, file-based) and which fits different client IT environments
  • How to write org-level CLAUDE.md instructions that enforce policy without over-restricting and degrading Claude's output quality

The course then covers the rest of the governance stack:

  • The permission system: how Claude Code categorizes operations into allow, ask, and deny, and where an admin draws those lines for a regulated environment
  • Sandboxed bash execution and filesystem scoping, including how to answer the 'is Claude Code sandboxed?' question accurately (the answer depends on configuration and whether dev containers are in use)
  • SSO via SAML 2.0 or OIDC, SCIM provisioning, and IP allowlisting
  • Data retention controls: the difference between the no-training opt-out, custom retention, and Zero Data Retention, three separate mechanisms that answer three different questions from a security team
  • SOC 2 Type II, HIPAA, and where client-side controls layer in alongside Anthropic's own compliance posture

The practice exercise: complete a security onboarding questionnaire for the sample client persona. If you have admin access to a Claude Enterprise tenant, walk through the managed-settings and SSO/SCIM configuration there. The completed questionnaire is your course artifact.

Time In Skilljar (Measured) 1 Hour 8 MinutesPractice & Artifact Building (Estimated Time In Skilljar) 40 Min

Curriculum

  • Managed-settings.json: forced login, allow and deny MCP, hooks restrictions
  • Permission system and operation gating
  • Sandboxed bash execution and filesystem scoping
  • SSO (SAML, OIDC), SCIM, and IP allowlisting
  • ZDR, custom retention, data usage policy
  • SOC 2 Type II, HIPAA, and client controls