Lesson 18
Permission Rules
AI-generated
Permission Rules
Create allowlist rules for trusted commands
Create deny rules to block dangerous operations
Use /permissions to manage rules
Scope rules to sessions, projects, or globally
Understand how rules combine and take precedence
Permission modes control the overall approach. Permission rules control specifics. With rules, you can say "always allow npm test" or "never allow rm -rf" regardless of which mode you are in.
Rules give you fine-grained control. You build a list of what is allowed, what is denied, and what should ask. Over time, this list reflects your workflow.
This lesson teaches you how to create and manage permission rules.
The /permissions command opens the rule manager:
You see:
Current rules organized by scope
Options to add or remove rules
Recent auto mode denials (if using auto mode)
Working directory settings
Navigate with arrow keys, Enter to select.
Allow rules let specific actions happen without asking.
Allow a specific command:
Claude can run npm test without prompting you.
Allow a pattern:
Claude can run any npm script without asking.
Claude can run any git command without asking.
Allow a tool:
Claude can edit files without asking. Use carefully.
Deny rules block actions even if they would otherwise be allowed.
Deny dangerous commands:
Claude cannot run recursive delete even in auto mode.
Claude cannot force push.
Deny tools:
Claude cannot create new files. It can still edit existing files.
Deny rules take precedence over allow rules. If something is denied, it is denied.
Rules follow this format:
Actions:
Allow - Permit without asking
Deny - Block entirely
Ask - Always ask (the default)
Tools:
Bash - Shell commands
Edit - File editing
Write - Creating new files
Read - Reading files (rarely restricted)
Skill - Invoking skills
MCP tool names
Patterns:
Exact match: Bash(npm test)
Prefix match: Bash(npm *)
Multiple patterns: Bash(git commit *, git push *)
Rules can apply at different levels:
Session scope:
Applies only to the current session. Gone when you exit.
Project scope:
Applies to this project directory. Stored in .claude/settings.json.
User scope:
Applies to all your projects. Stored in ~/.claude/settings.json.
Higher scopes have priority over lower ones when there is a conflict.
Through /permissions:
Run /permissions
Select "Add rule"
Choose scope
Enter the rule
Through conversation:
You can also ask Claude:
Claude adds the rule for you.
In settings.json:
Edit the settings file directly:
Through /permissions:
Run /permissions
Navigate to the rule
Select "Remove"
In settings.json:
Delete the rule from the array.
Development commands:
Git commands:
Safety denials:
Skill restrictions:
Block skills you do not want Claude invoking automatically.
When using auto mode, /permissions shows recent denials:
Select "Review auto mode denials" to see what the classifier blocked. This helps you understand what auto mode considers risky and decide if you want to add allow rules for legitimate actions.
When Claude wants to do something:
Check deny rules. If denied, block it.
Check allow rules. If allowed, do it.
Check permission mode. In auto mode, use classifier. In default mode, ask.
Order matters: deny beats allow beats mode defaults.
Scope precedence:
User rules override project rules override session rules. This lets you set organization-wide denials that projects cannot override.
Allow rules permit actions without asking
Deny rules block actions entirely
Rules use Tool(pattern) syntax with wildcards
Scope rules to session, project, or user level
Deny rules take precedence over allow rules
Use /permissions to manage rules interactively
Build rules over time as you learn your workflow
Practice permission rules:
Run /permissions to see current rules.
Add an allow rule: Allow: Bash(echo *).
Ask Claude to run an echo command. Notice no prompt.
Add a deny rule: Deny: Bash(rm *).
Ask Claude to delete a file. Notice it is blocked.
Remove the echo allow rule.
Ask Claude to echo again. Notice the prompt returns.
This exercise shows how rules control Claude's behavior.
https://code.claude.com/docs/en/permissions - Complete permission rule documentation
https://code.claude.com/docs/en/settings - Settings file format for rules
https://code.claude.com/docs/en/commands - /permissions command reference