Enterprise Best Practices & FAQ

⏱ Est. reading time: 3 min Updated on 5/8/2026

Managing Claude Code in an organization requires enforcing policies that individual users cannot bypass.

Managed Settings

Administrators can use managed-settings.json to lock down permissions:

{
  "permissions": {
    "defaultMode": "default",
    "disableBypassPermissionsMode": "disable",
    "disableAutoMode": "disable",
    "deny": ["Bash(curl * | bash)", "Bash(git push -f *)"]
  }
}

Scopes & Precedence

Managed settings: Impossible to override.
CLI Flags: Per-session overrides.
Project settings: .claude/settings.json (committed to git).
User settings: ~/.claude/settings.json.

Common FAQ

Q: Why is Auto mode unavailable for me? A: Check Lesson 05. You likely need a Max/Team plan or a specific model provider (Anthropic Direct).

Q: Can I use * for everything? A: Yes, Bash(*) matches everything. But it's safer to use Bash(npm *) or Bash(git *).

Q: Does it work in VS Code? A: Yes, use the mode indicator in the prompt box. VS Code uses mapping like "Ask before edits" → default.

Final Tip: For the best balance of speed and safety, set your project defaultMode to acceptEdits but add a deny rule for git push.

← Previous Protected Paths & Sandboxing