Faster Claude

Configure permissions

Control what Claude Code can access and do with fine-grained permission rules, modes, and managed policies.

Claude Code supports fine-grained permissions. Permission settings can be checked into version control and distributed to your organization.

Permission system

Tool typeExampleApproval required
Read-onlyFile reads, GrepNo
Bash commandsShell executionYes
File modificationEdit/write filesYes

Manage permissions

View and manage permissions with /permissions. Lists rules and which settings.json they come from.

  • Allow — use the tool without manual approval
  • Ask — prompt for confirmation
  • Deny — prevent use

Rules are evaluated deny → ask → allow. First match wins.

A bare tool name like Bash removes the tool from Claude's context entirely. A scoped rule like Bash(rm *) blocks matching calls when attempted.

Permission rules are enforced by Claude Code, not the model. CLAUDE.md shapes what Claude tries; permissions control what is allowed.

Permission modes

Set defaultMode in settings. See Permission modes.

ModeDescription
defaultPrompts on first use of each tool
acceptEditsAuto-accepts file edits and common fs commands in scope
planRead-only exploration; no source edits
autoAuto-approve with background safety checks (research preview)
dontAskAuto-deny unless pre-approved
bypassPermissionsSkips all prompts — containers/VMs only

bypassPermissions still prompts for rm -rf / and rm -rf ~. Set permissions.disableBypassPermissionsMode or permissions.disableAutoMode to "disable" in managed settings to block these modes.

Permission rule syntax

Format: Tool or Tool(specifier).

{
  "permissions": {
    "allow": [
      "Bash(npm run *)",
      "Bash(git commit *)",
      "Bash(git * main)",
      "Bash(* --version)"
    ],
    "deny": [
      "Bash(git push *)"
    ]
  }
}

Bash(*) is equivalent to Bash for matching all Bash commands.

Bash

  • Bash(npm run build) — exact command
  • Bash(npm run test *) — prefix with word boundary at *
  • Bash(git *) — matches multi-arg commands
  • Compound commands (&&, |, ;) — each part matched separately
  • Wrappers timeout, nice, nohup, stdbuf stripped before matching
  • Built-in read-only commands (ls, grep, git status, etc.) often run without prompts

Denying entire Bash or WebFetch invalidates prompt cache on the next turn.

For URL restrictions in Bash, prefer WebFetch(domain:example.com) allow rules, deny curl/wget, or PreToolUse hooks — Bash(curl http://github.com/*) patterns are fragile.

Read and Edit

Patterns follow gitignore-style anchors:

PatternMeaning
//pathAbsolute from filesystem root
~/pathFrom home directory
/pathRelative to project root
path or ./pathRelative to current directory

Edit applies to all built-in edit tools. Read rules apply to read tools, @file mentions, and IDE-shared context.

Deny on symlinks blocks if either the link path or target matches.

WebFetch

WebFetch(domain:example.com) matches fetch requests to that domain.

MCP

mcp__puppeteer, mcp__puppeteer__*, or mcp__puppeteer__puppeteer_navigate.

Agent (subagents)

Agent(Explore), Agent(Plan), Agent(my-custom-agent) in allow or deny arrays.

Extend permissions with hooks

PreToolUse hooks run before the permission prompt. Hook deny (exit code 2) blocks before rules are evaluated. Deny/ask rules still apply even if a hook returns allow.

Working directories

Default access is the launch directory. Extend with --add-dir, /add-dir, or permissions.additionalDirectories.

Additional directories grant file access, not full .claude/ config (except skills with live reload, limited plugin settings, and CLAUDE.md when CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD=1).

How permissions interact with sandboxing

  • Permissions — which tools and paths Claude Code may use
  • Sandboxing — OS-level limits on Bash and child processes

Use both for defense-in-depth. With autoAllowBashIfSandboxed: true (default), sandboxed Bash may run without per-command prompts; explicit deny rules still apply.

Settings precedence

  1. Managed (cannot be overridden)
  2. Command line (--allowedTools, --disallowedTools)
  3. Local (.claude/settings.local.json)
  4. Project (.claude/settings.json)
  5. User (~/.claude/settings.json)

If a tool is denied at any level, no other level can allow it.

Permission rules merge; deny from any scope blocks even when another scope allows.

On this page