> For the complete documentation index, see [llms.txt](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/anthropic.md).

# Anthropic Claude Admin Platform

### Overview

The Veza integration for Anthropic Claude discovers the organizational structure, workspace membership, and API key inventory of the Anthropic Admin Platform, enabling governance of the credential and membership surface that underpins Claude usage.

The integration enables:

* Discovery of organization members and their role assignments (admin, developer, billing, user, claude\_code\_user)
* Mapping of workspace membership and workspace-level roles across your Anthropic organization
* Visibility into API keys, including workspace scope, creation date, and active/inactive status, surfaced as non-human identity (NHI) entities
* Correlation of Anthropic users with corporate identities from other connected identity providers via email, enabling cross-source access reviews
* Access reviews and alert rules based on organizational and workspace-level privileges
* Discovery of workspace-level managed agent resources — agents, tools, MCP servers, models, environments, vaults, and skills — surfaced as AI entities for agentic AI governance

See [Notes and supported entities](#notes-and-supported-entities) for details on discovered data.

### Prerequisites

Before configuring the integration:

* **Anthropic organization**: An Anthropic account with an active organization
* **Admin API key**: An Admin API key (starting with `sk-ant-admin...`) provisioned from the Anthropic Console. Only organization members with the `admin` role can create Admin API keys.
* **Workspace API keys** (for workspace-level discovery): To discover managed agent resources inside a workspace, each workspace needs its own workspace-scoped API key (starting with `sk-ant-api...`). The Admin API key discovers the workspaces; it cannot read workspace-internal agent resources. See [Workspace-level entity discovery (Managed Agents)](#workspace-level-entity-discovery-managed-agents).
* **Network connectivity**: Connection from Veza to the Anthropic API (`api.anthropic.com`) via a [deployed Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) or direct connection

### Configuring Anthropic

To connect Veza to your Anthropic organization, you will need to generate an Admin API key.

#### Generate an Admin API key

Admin API keys are distinct from standard API keys used for Claude model access. Only organization admins can provision them.

1. Sign in to the [Anthropic Console](https://console.anthropic.com/)
2. Navigate to **Settings** > **Admin API Keys**
3. Click **Create Admin Key**
4. Give the key a descriptive name (for example, "Veza Integration")
5. Copy the key immediately, as the Console will not display it again

For more details, see the [Anthropic Admin API documentation](https://docs.anthropic.com/en/docs/administration/admin-api).

### Configuring Anthropic Claude Admin Platform on the Veza platform

1. In Veza, go to the **Integrations** page
2. Click **Add Integration** and search for **Anthropic**
3. Click **Next** to begin configuration
4. Enter the required information (see table below)
5. Click **Create Integration** to save and start the first extraction

#### Configuration options

| Field             | Required | Notes                                                   |
| ----------------- | -------- | ------------------------------------------------------- |
| **Insight Point** | Yes      | Choose default data plane or a deployed Insight Point   |
| **Name**          | Yes      | Friendly name to identify this integration              |
| **Admin API Key** | Yes      | Anthropic Admin API key (starts with `sk-ant-admin...`) |

### Notes and supported entities

The Anthropic Claude Admin Platform integration discovers organizations, workspaces, users, and API keys. It models the organizational hierarchy and maps role-based access at both the organization and workspace levels.

#### Discovered entities

Veza discovers the following entity types:

* **Organization**: The top-level Anthropic account grouping
* **Workspace**: Logical groupings for segmenting projects and access control within an organization
* **User**: Organization members with role assignments at organization and workspace levels
* **API Key**: Credentials scoped to workspaces, surfaced as non-human identity (NHI) entities

#### Key attributes

**Organization**

| Veza Attribute    | Anthropic Attribute | Notes                                  |
| ----------------- | ------------------- | -------------------------------------- |
| `organization_id` | `id`                | Unique identifier for the organization |
| `display_name`    | `name`              | Organization display name              |

**User**

| Veza Attribute      | Anthropic Attribute | Notes                                                    |
| ------------------- | ------------------- | -------------------------------------------------------- |
| `user_id`           | `id`                | Unique identifier for the user                           |
| `email`             | `email`             | Email address, used for identity mapping                 |
| `display_name`      | `name`              | User display name                                        |
| `organization_role` | `role`              | Organization-level role (see Roles below)                |
| `added_at`          | `added_at`          | Timestamp when the organization added the user           |
| `Is Active`         | --                  | Always `true`; the Admin API only returns active members |

**Workspace**

| Veza Attribute           | Anthropic Attribute      | Notes                                                  |
| ------------------------ | ------------------------ | ------------------------------------------------------ |
| `workspace_id`           | `id`                     | Unique identifier for the workspace                    |
| `display_name`           | `name`                   | Workspace display name                                 |
| `Created At`             | `created_at`             | Workspace creation timestamp                           |
| `archived_at`            | `archived_at`            | Archive timestamp (if the workspace has been archived) |
| `settings_workspace_geo` | `settings.workspace_geo` | Data residency region for the workspace                |

**API Key**

| Veza Attribute       | Anthropic Attribute | Notes                                                      |
| -------------------- | ------------------- | ---------------------------------------------------------- |
| `api_key_id`         | `id`                | Unique identifier for the API key                          |
| `display_name`       | `name`              | API key display name                                       |
| `status`             | `status`            | Key status: `active`, `inactive`, `archived`, or `expired` |
| `Is Active`          | --                  | Derived from `status == "active"`                          |
| `Created At`         | `created_at`        | Key creation timestamp                                     |
| `Expires At`         | `expires_at`        | Key expiration timestamp (if set)                          |
| `created_by_user_id` | `created_by.id`     | The user who created the key                               |
| `workspace_id`       | `workspace_id`      | The workspace that scopes this key (if workspace-scoped)   |

#### Relationships

The integration models the following entity relationships:

| Source       | Relationship  | Target                          |
| ------------ | ------------- | ------------------------------- |
| Organization | has user      | User                            |
| Organization | has workspace | Workspace                       |
| Organization | has API key   | API Key                         |
| Workspace    | has user      | User (via workspace membership) |
| Workspace    | has API key   | API Key (workspace-scoped keys) |

#### Roles and permissions

Anthropic defines roles at two levels: organization-level and workspace-level.

**Organization roles**

| Role               | Description                                                                      |
| ------------------ | -------------------------------------------------------------------------------- |
| `admin`            | Full administrative access to the organization, all workspaces, and all API keys |
| `billing`          | Manage billing details and view organization information                         |
| `developer`        | View organization information                                                    |
| `user`             | View organization information                                                    |
| `claude_code_user` | View organization information (Claude Code access)                               |

{% hint style="info" %}
Organization admins are automatically granted `workspace_admin` access on all workspaces. Billing users inherit `workspace_billing` access on all workspaces.
{% endhint %}

**Workspace roles**

| Role                             | Description                                                                                                                                                      |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `workspace_admin`                | Full administrative access to the workspace, including member and API key management                                                                             |
| `workspace_developer`            | View workspace details and members, manage API keys scoped to the workspace                                                                                      |
| `workspace_restricted_developer` | Equivalent to `workspace_developer` at the Admin API level. Console UI restrictions (no session tracing, no file download) have no corresponding API privileges. |
| `workspace_user`                 | View workspace details and member list                                                                                                                           |
| `workspace_billing`              | View workspace existence for cost attribution                                                                                                                    |

#### Effective permissions

Veza maps Anthropic permissions to these effective permission types:

| Effective Permission | Description                                                                                   |
| -------------------- | --------------------------------------------------------------------------------------------- |
| **Metadata Read**    | View entities and list operations (LIST\_USER, READ\_WORKSPACE, LIST\_API\_KEY, and similar)  |
| **Metadata Write**   | Change entities (UPDATE\_USER\_ROLE, UPDATE\_WORKSPACE, UPDATE\_API\_KEY, MANAGE\_BILLING)    |
| **Metadata Create**  | Create entities (CREATE\_WORKSPACE, CREATE\_INVITE, ADD\_WORKSPACE\_MEMBER)                   |
| **Metadata Delete**  | Remove entities (REMOVE\_USER, DELETE\_INVITE, ARCHIVE\_WORKSPACE, REMOVE\_WORKSPACE\_MEMBER) |

### Workspace-level entity discovery (Managed Agents)

Beyond organizational structure, Veza can discover **managed agent resources inside each workspace**. These entities represent the agents, tools, models, and supporting resources that make up your agentic AI footprint.

#### How it works

1. The Admin API key you configured on the integration enumerates every active workspace in your organization.
2. Veza creates a **separate data source for each discovered workspace**. Each new data source starts in an *awaiting credentials* state until you provide its workspace API key.
3. You supply a **workspace-scoped API key** (`sk-ant-api...`) for each workspace you want to discover. Attach it as a data-source-level secret reference — see [Data source level secret references](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/secrets-vaults/secret-references-api.md#data-source-level-secret-references). The `secret_mapping.mapping` value is `workspace_api_key`.

{% hint style="info" %}
The workspace API key is a standard workspace-scoped key (`sk-ant-api...`), distinct from the organization Admin API key (`sk-ant-admin...`) used at the integration level.
{% endhint %}

#### Discovered workspace entities

| Entity          | Description                                                             | Key attributes                                                                                                                                     |
| --------------- | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Agent**       | A managed agent, modeled as an AI agent entity                          | `agent_id`, `model_id`, `version`, `is_coordinator`, `delegated_agent_count`, `tool_entry_count`, `mcp_server_count`, `skill_count`, `is_archived` |
| **Tool**        | A tool an agent can invoke                                              | `tool_name`, `tool_type`, `toolset_type`                                                                                                           |
| **MCP Server**  | An MCP server that exposes tools (synthesized from agent configuration) | `server_url`, `server_type`                                                                                                                        |
| **Model**       | A Claude model available to the workspace                               | `model_id`, `display_name`, `max_input_tokens`, `max_tokens`, `capabilities`                                                                       |
| **Environment** | An agent execution environment                                          | `environment_id`, `networking_type`, `allowed_hosts`                                                                                               |
| **Vault**       | A workspace vault                                                       | `vault_id`, `display_name`                                                                                                                         |
| **Skill**       | An agent skill                                                          | `skill_id`, `display_title`, `source`                                                                                                              |

#### Relationships

| Source     | Relationship    | Target                         |
| ---------- | --------------- | ------------------------------ |
| Workspace  | has agent       | Agent                          |
| Workspace  | has environment | Environment                    |
| Workspace  | has vault       | Vault                          |
| Workspace  | has skill       | Skill                          |
| Agent      | delegates to    | Agent (for coordinator agents) |
| MCP Server | exposes         | Tool                           |

{% hint style="info" %}
Skills are discovered only for workspaces enrolled in Anthropic's managed agent skills beta. A workspace without skills enrollment returns no skill entities (this is not an error).
{% endhint %}

#### Workspace-level access

Access to managed agent resources is derived by joining workspace membership (discovered by the Anthropic Claude Admin Platform data source) to the discovered resources. **Both the Admin Platform and Managed Agents data sources must be active** for these access relationships to appear. Workspace roles map to two access tiers:

| Workspace role                                                             | Access tier       |
| -------------------------------------------------------------------------- | ----------------- |
| `workspace_admin`, `workspace_developer`, `workspace_restricted_developer` | Full (read/write) |
| `workspace_user`, `workspace_billing`                                      | Read-only         |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/anthropic.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
