Skip to Content
How-to guidesHow-to guidesManage user policies

Manage user policies

A policy is a named bundle of allow, deny, and require-approval rules that you assign to a teammate. Every agent that teammate owns inherits the policy’s scope limits — so a member with the read_only policy can never grant their agent a *:write scope, even by accident.

Policies live at /policies in the sidebar (managers only). The list shows every policy you’ve defined, plus how many members it’s assigned to.

Create a policy

Click + New policy on the Policies page (or /policies/new directly). The editor has two columns:

  • Left — name, description, and rule list. Add rules with + Add rule.
  • Right — a live allow-list preview that shows exactly which (platform, scope) pairs the policy will currently permit.

The rule shapes

Each rule has three knobs: effect, target type, target value.

EffectTarget typeWhat it means
allowplatformPermit every scope on that platform.
allowtagPermit any scope tagged with that label (e.g. read, low_risk).
allowscopePermit a specific scope by name (e.g. slack:chat:write).
denyanyForbid the target. Beats any allow of the same target.
require_approvalanyAllow, but queue a human-approval prompt before the call runs.

Order doesn’t matter — the engine resolves the highest-specificity rule that matches. Deny always wins ties.

Live preview

The right-hand pane recomputes every keystroke. If a rule excludes everything (typo’d scope name, mis-spelled tag), the preview tells you immediately rather than silently saving a dead policy.

Assign a policy

Policies don’t do anything until you assign them. Open the Team page, find a member’s row, and pick a policy from the dropdown. The change takes effect on the member’s next agent call — there’s no propagation delay.

A member without a policy assignment falls back to the org default (full access unless a guardrail blocks them).

Edit or delete

Open any policy from the list to re-enter the editor. Save commits the change for every member currently assigned to it; unassigning a member is a separate action on the Team page.

Deleting a policy is blocked while members are assigned to it — un-assign first, then delete.

What gets audited

Every policy change writes to the audit log:

  • policy.created
  • policy.updated
  • policy.deleted
  • policy.assigned / policy.unassigned (on the Team page)

Next

Last updated on