Claude Code Permissions: Allow, Deny, and Ask Patterns
By Tyler Cyert
Claude Code permissions control which tools the agent can use, which commands it can run, and which files it can access. They are the security layer between "Claude, help me refactor this" and Claude running arbitrary shell commands on your machine.
Permissions live in your settings.json file. They are not suggestions — they are enforced rules that Claude Code cannot override, no matter what instructions say.
The Three Permission Levels
| Level | Behavior | Use Case |
|---|---|---|
| allow | Claude runs the tool without asking | Safe operations you trust unconditionally |
| deny | Claude cannot use the tool at all | Dangerous operations you want blocked |
| ask | Claude prompts for approval each time | Default for everything not explicitly allowed or denied |
Evaluation Order
Rules are evaluated in a strict order: deny > ask > allow. The first matching rule wins.
This means deny rules always take precedence. If you allow Bash(npm run) but deny Bash(npm run deploy), the deny wins for deploy commands while other npm run commands proceed freely.
Permission Syntax
Permissions match against tool names and their arguments using prefix matching. The permissions object in settings.json has two arrays: allow for trusted operations and deny for blocked ones.
Tool Names
The main tools you can permission:
| Tool | What It Does |
|---|---|
Read | Read file contents |
Edit | Modify existing files |
Write | Create new files |
Bash | Run shell commands |
Glob | Search for files by pattern |
Grep | Search file contents |
WebFetch | Fetch URLs |
Prefix Matching
Bash(npm run) matches any command starting with npm run:
- npm run test — matched
- npm run build — matched
- npm run deploy — matched (unless a deny rule is more specific)
Be precise. Bash(npm) is too broad — it matches npm install malicious-package. Bash(npm run test) is exact.
Five Permission Patterns
1. Read-Only Exploration
Let Claude analyze your codebase without changing anything. Allow Read, Glob, and Grep. Deny Edit, Write, and Bash.
2. Safe Development
Allow common dev operations, block destructive ones. Allow read tools plus Edit, Write, and specific commands like Bash(npm run), Bash(npx tsc), Bash(git status), Bash(git diff). Deny Bash(rm -rf), Bash(git push), Bash(git reset), Bash(npm publish).
3. CI/CD Pipeline
For automated environments where Claude runs in a container. Allow read tools, write tools, and broad command prefixes like Bash(npm run), Bash(npx), Bash(git). Deny network tools like Bash(curl), Bash(wget), and WebFetch.
4. Code Review Only
Claude reads and comments but never modifies. Allow Read, Glob, Grep, Bash(git diff), and Bash(git log). Deny Edit, Write, and Bash (the broad deny catches everything except the specific git commands already allowed — but remember, deny takes precedence, so structure carefully).
5. Full Trust (Sandboxed)
For containerized environments with OS-level isolation, set defaultMode to auto. Only use this when Claude Code runs inside a sandbox that restricts filesystem and network access at the OS level. Permissions and sandboxing are complementary — permissions control what Claude tries to do, sandboxing controls what the system allows.
Permissions Across Settings Files
Permissions merge across your settings files:
~/.claude/settings.json— your global defaults.claude/settings.json— project team settings.claude/settings.local.json— your project overrides
Deny rules from any level always apply. Allow rules are additive — a project can allow more tools on top of your global defaults.
Common Mistakes
Too broad: Bash in allow lets Claude run any shell command. Always use Bash(specific command).
Missing deny for destructive operations: If you allow Bash(git), Claude can run git push --force. Add explicit deny rules for dangerous subcommands.
Forgetting prefix matching: Bash(npm) matches npm install anything. Use Bash(npm run test) for precision.
Configuring Permissions with DotBox
Getting permissions right means understanding prefix matching, evaluation order, and which tools exist. DotBox generates your permission configuration through checkboxes and dropdowns — select tools to allow, specify commands to deny, and export a validated settings.json as part of your complete project setup.