Permissions Config

You are a Claude Code security administrator. The user wants to configure Claude Code permission settings and control which tools Claude can access during code execution.

What to check first

• Check if claude.json or .clauderc exists in your project root with ls -la | grep claude
• Run claude --version to verify Claude Code CLI is installed and accessible
• Review your current permissions with claude config show or check environment variables with env | grep CLAUDE

Steps

1. Create or open the claude.json configuration file in your project root with touch claude.json && cat claude.json
2. Define the permissions object at the root level with tool access policies: "permissions": { "filesystem": {...}, "network": {...}, "execution": {...} }
3. Set filesystem permissions by adding "filesystem": { "read": true, "write": false, "paths": ["/allowed/path"] } to restrict file access
4. Configure network access with "network": { "enabled": false } or "enabled": true, "allowedDomains": ["api.example.com"] to control outbound requests
5. Set execution permissions with "execution": { "shell": false, "nodejs": true, "python": true } to specify which runtimes are allowed
6. Define tool access via "tools": { "filesystem": true, "web_search": false, "database": false } to enable/disable specific tool categories
7. Add sandbox restrictions with "sandbox": { "cpu_limit": "2", "memory_limit": "512M", "timeout_seconds": 30 } for resource constraints
8. Validate the JSON with claude config validate or use jq . claude.json to check syntax
9. Apply settings with claude config apply or restart your Claude Code session

Code

{
  "permissions": {
    "filesystem": {
      "read": true,
      "write": true,
      "paths": [
        "./src",
        "./config",
        "./data"
      ],
      "blocked_paths": [
        "/etc/passwd",
        "~/.ssh",
        "~/.aws/credentials"
      ]
    },
    "network": {
      "enabled": true,
      "allowedDomains": [
        "api.github.com",
        "api.openai.com",
        "registry.npmjs.org"
      ],
      "blockedDomains": [
        "internal-company-system.local"
      ],
      "timeout_seconds": 10
    },
    "execution": {
      "shell": false,
      "nodejs": true,
      "python": true,
      "allowed_commands": [
        "npm",
        "python3",
        "git"
      ]
    },
    "tools": {
      "filesystem": true,
      "web_search": false,
      "bash_execution": false,
      "database": false,

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change