Manage user policies
A policy is a named bundle of allow, deny, and require-approval rules that you assign to a teammate. Every agent that teammate owns inherits the policy’s scope limits — so a member with the read_only policy can never grant their agent a *:write scope, even by accident.
Policies live at /policies in the sidebar (managers only). The list shows every policy you’ve defined, plus how many members it’s assigned to.
Create a policy
Click + New policy on the Policies page (or /policies/new directly). The editor has two columns:
- Left — name, description, and rule list. Add rules with
+ Add rule. - Right — a live allow-list preview that shows exactly which
(platform, scope)pairs the policy will currently permit.
The rule shapes
Each rule has three knobs: effect, target type, target value.
| Effect | Target type | What it means |
|---|---|---|
allow | platform | Permit every scope on that platform. |
allow | tag | Permit any scope tagged with that label (e.g. read, low_risk). |
allow | scope | Permit a specific scope by name (e.g. slack:chat:write). |
deny | any | Forbid the target. Beats any allow of the same target. |
require_approval | any | Allow, but queue a human-approval prompt before the call runs. |
Order doesn’t matter — the engine resolves the highest-specificity rule that matches. Deny always wins ties.
Live preview
The right-hand pane recomputes every keystroke. If a rule excludes everything (typo’d scope name, mis-spelled tag), the preview tells you immediately rather than silently saving a dead policy.
Assign a policy
Policies don’t do anything until you assign them. Open the Team page, find a member’s row, and pick a policy from the dropdown. The change takes effect on the member’s next agent call — there’s no propagation delay.
A member without a policy assignment falls back to the org default (full access unless a guardrail blocks them).
Edit or delete
Open any policy from the list to re-enter the editor. Save commits the change for every member currently assigned to it; unassigning a member is a separate action on the Team page.
Deleting a policy is blocked while members are assigned to it — un-assign first, then delete.
What gets audited
Every policy change writes to the audit log:
policy.createdpolicy.updatedpolicy.deletedpolicy.assigned/policy.unassigned(on the Team page)