---
title: Anthropic Compliance user built-in role elevated to privileged
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anthropic Compliance user built-in role
  elevated to privileged
---

# Anthropic Compliance user built-in role elevated to privileged

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detects when a user's built-in organization role is elevated to a privileged role (`admin`, `owner`, `primary_owner`, or `membership_admin`). Catches both **admin-grants-another-user** privilege escalation and **self-elevation** scenarios, while suppressing SCIM-driven changes from the customer's IdP.

## Strategy{% #strategy %}

This rule monitors Anthropic Compliance activities for `claude_user_role_updated` where the post-change role (`@current_role`) is one of the built-in privileged roles. The query is grouped by both the actor (`@usr.email`) and the target (`@user_email`) so triage can immediately spot self-elevation (the two values match).

SCIM-driven role changes (`@actor.type:scim_directory_sync_actor`) are excluded because they originate from the customer's IdP and are audited upstream. Re-include them if monitoring IdP-driven privilege bumps is a requirement.

This rule covers the **built-in** role model (`user`/`developer`/`billing`/`admin`/`owner`/`primary_owner`/`membership_admin`/`claude_code_user`/`managed`). RBAC custom-role assignments are covered separately by `anthropic-compliance-admin-role-assignment-granted`.

## Triage and response{% #triage-and-response %}

- Compare `{{@usr.email}}` with `{{@user_email}}` to identify self-elevation, where the actor and target are the same identity.
- Verify the actor has documented authority to grant `{{@current_role}}` to the target user.
- Review `@previous_role` and `@current_role` to assess the elevation magnitude.
- Check `@actor.type`; for `admin_api_key_actor`, identify `@actor.admin_api_key_id` and validate its scope and owner.
- Correlate either identity with recent `admin-invite-sent`, `suspicious-login`, `primary-owner-transferred`, `sso-disabled`, or `compliance-api-logging-disabled` signals.
- Revert unauthorized role changes and revoke the actor's active sessions, magic-link tokens, and owned admin API keys.