Skip to main content
Claude Code’s permission system controls which tools Claude can invoke, what shell commands it can run, and which directories it can access. You can configure permissions statically in settings files, dynamically during a session, and via enterprise policy.

What permissions control

Every tool invocation goes through a permission check before executing. The check result is one of:
  • allow — the operation proceeds without prompting
  • ask — Claude pauses and asks you to approve or deny
  • deny — the operation is blocked
Permissions apply to named tools (e.g. Bash, FileEdit, FileRead, WebFetch) and can be scoped to specific command prefixes or patterns within a tool.

Permission modes

The active permission mode determines the default behavior when no explicit allow/deny rule matches.
ModeBehavior
defaultClaude prompts for approval on potentially impactful tool use
acceptEditsFile edits are auto-accepted; other tools still prompt
planClaude explains what it intends to do, but does not execute tools
bypassPermissionsAll tools are allowed without prompting
dontAskAll tools are allowed without prompting
bypassPermissions and dontAsk allow Claude to run any tool without confirmation. Use these modes only in trusted, controlled environments. The disableBypassPermissionsMode enterprise setting can prevent users from entering these modes.

Setting the default mode

Set permissions.defaultMode in any settings file to establish a default for that scope:
.claude/settings.json
{
  "permissions": {
    "defaultMode": "acceptEdits"
  }
}

The --permission-mode flag

Override the permission mode for a single session at launch: 
claude --permission-mode acceptEdits
claude --permission-mode bypassPermissions

Interactive approval

When Claude needs to use a tool and no rule covers it, it pauses and shows you what it wants to do. You can:
  • Approve once — allow this specific invocation
  • Approve always — add a permanent allow rule for this tool or command
  • Deny — block this invocation
  • Deny always — add a permanent deny rule
Choices saved as “always” are written to a settings file. Claude will ask you which scope to save to (user, project, or local).

The claude permissions command

Run /permissions (also aliased as /allowed-tools) inside a session to open the interactive permission rule manager. This UI lets you view, add, and remove allow/deny/ask rules across all settings sources without manually editing JSON files.

Allow and deny rules in settings

Add permissions.allow and permissions.deny arrays to any settings file to create persistent rules.

Rule format

Rules are strings in the form ToolName or ToolName(pattern):
  • Bash — matches all Bash invocations
  • Bash(git:*) — matches any Bash command starting with git
  • FileEdit — matches all file edit operations
  • FileRead(src/*) — matches file reads under src/
.claude/settings.json
{
  "permissions": {
    "allow": [
      "Bash(git:*)",
      "Bash(npm run:*)",
      "FileEdit",
      "FileRead"
    ],
    "deny": [
      "Bash(rm -rf:*)"
    ],
    "ask": [
      "WebFetch"
    ]
  }
}

Rule sources and precedence

Rules are loaded from all active settings sources and merged. The source of a rule is tracked for display in the UI:
SourceDisplay name
userSettingsUser settings
projectSettingsShared project settings
localSettingsProject local settings
flagSettingsCommand line arguments
policySettingsEnterprise managed settings
Deny rules always take precedence over allow rules.

allowManagedPermissionRulesOnly

When set to true in managed settings, only permission rules from managed settings are respected. User, project, local, and CLI argument rules are ignored. This is an enterprise policy option.

Directory access

By default, Claude Code can read and write files within the current working directory. Use permissions.additionalDirectories to grant access to directories outside the working directory: 
{
  "permissions": {
    "additionalDirectories": [
      "/shared/data",
      "~/projects/shared-lib"
    ]
  }
}
You can also add directories interactively during a session when Claude tries to access a path outside the current scope. Claude will prompt you to approve the path, and you can choose to save the addition to a settings file.
Managed settings can also supply additionalDirectories to pre-grant access to shared locations for all users in an organization.

Sandbox mode

When the CLAUDE_CODE_USE_SANDBOX environment variable is set, the Bash tool runs inside a sandbox runtime provided by @anthropic-ai/sandbox-runtime. The sandbox imposes configurable filesystem and network restrictions on shell commands. 
CLAUDE_CODE_USE_SANDBOX=1 claude
Sandbox configuration can also be placed in settings under the sandbox key. The sandbox adapter integrates with Claude Code’s settings system and supports the same per-source configuration as other settings.
Sandbox mode provides an additional security layer for automated or CI environments where you want shell commands contained, independent of Claude’s permission rules.

Enterprise policy limits

Enterprise administrators can restrict the permission system through managed settings:
Prevent users from entering bypassPermissions mode. Set to "disable" in managed settings.
managed-settings.json
{
  "permissions": {
    "disableBypassPermissionsMode": "disable"
  }
}
When true, only permission rules defined in managed settings are applied. All user- and project-level rules are ignored.
managed-settings.json
{
  "allowManagedPermissionRulesOnly": true
}
Place allow and deny rules directly in managed settings to enforce organization-wide tool policy. These rules merge with the managed permission rule set.
managed-settings.json
{
  "permissions": {
    "deny": ["Bash(curl:*)", "WebFetch"]
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us