🔒

Permission System

Fine grained control over which tools Claude Code can use without asking. Set global defaults, project specific overrides, and per tool rules to balance safety with workflow speed.

Configuration·2 sections·1 min read

codingdevopsworkflow

Install Prompt

Paste this into Claude Code to set it up:

Permissions are configured in ~/.claude/settings.json under the 'permissions' key. You can allow specific tools globally (e.g., allow Read, Grep, Glob without prompting) or add project specific overrides. Use 'allow' for trusted tools and leave sensitive tools (Write, Bash) to prompt each time. Claude Code also supports regex patterns for Bash commands.

01What It Does

Safety without friction

Every tool in Claude Code has a permission state: allowed (runs without asking), denied (blocked entirely), or default (asks each time). The permission system lets you pre approve safe, read only tools like Read, Grep, and Glob so Claude can work without constant interruptions, while keeping destructive tools like Write, Bash, and Edit on a confirmation step. This balance is essential for productive sessions. Too many prompts slow you down; too few permissions create risk. The system supports layered configuration so you can set sensible global defaults and tighten or relax them per project.

02Configuration Levels

Global defaults in settings.json

Set your baseline permissions in ~/.claude/settings.json. These apply to every project on your machine. Most users allow Read, Grep, and Glob globally since they are read only and safe. Sensitive tools like Bash and Write are left on the default prompt behavior. You can also use regex patterns to allow specific Bash commands (like git status) while blocking others.

Project overrides in .claude/settings.json

Each project can have its own .claude/settings.json that overrides global defaults. A frontend project might allow Bash commands matching npm and npx, while a production infrastructure project might deny all Bash access entirely. Project settings inherit from global settings and only override what they explicitly define.

Session overrides at runtime

During a session, Claude Code will ask for permission when a tool falls outside your allowed list. You can grant one time permission for that specific invocation, or use the session level override to allow a tool for the remainder of the current session. These overrides do not persist to disk and reset when the session ends.