Skip to main content
Permissions control what agents are allowed to do. Every action the agent attempts- creating a PR, posting to Slack, resolving a Sentry issue- is checked against the permission system before it executes.
Permissions settings showing action modes.

Three modes

Each action resolves to exactly one of three modes:
ModeBehavior
AllowThe action executes immediately without human intervention.
Require approvalThe action blocks until a human approves or denies it.
DenyThe action is rejected. The agent is informed and cannot retry.

How permissions resolve

Permissions are resolved through a three-tier cascade. The first match wins:
1

Automation override

A mode set on a specific automation for a specific action. Highest priority.
2

Organization default

A mode set at the organization level for a specific action.
3

Inferred default

If no explicit override exists, the mode is inferred from the action’s risk level: read actions default to allow, write actions default to require approval, and danger actions default to deny.
This means you can set broad defaults at the org level and override them per automation when needed.
Start with the inferred defaults. They are conservative- read actions auto-execute, write actions require approval, and dangerous actions are blocked. Loosen permissions as you build trust.

Approval workflows

When an action resolves to require approval, the agent pauses and a notification is sent. Where approvals appear:
  • Web dashboard- The session view shows pending approvals with full parameter details.
  • Slack- If notifications are configured, the approval request is posted to the automation’s Slack channel.
Pending approval request with approve and deny buttons.
Approval options:
  • Approve Once- Approves this specific invocation only.
  • Approve & Always Allow- Approves this invocation and sets the permission to allow for all future invocations.
  • Deny- Rejects the invocation. The agent is notified and adapts.
Pending approvals expire after 5 minutes. If no one responds, the action is marked as expired and the agent is notified.
Only users with admin or owner roles can approve or deny actions.

Connector drift detection

When you connect an MCP server, Proliferate tracks each tool’s schema. If a tool’s schema changes after you’ve configured its permissions, the system detects the change and downgrades any allow permissions to require approval until an admin re-reviews the tool. This prevents a connected MCP server from silently expanding what it can do. When you see a “needs re-review” indicator in the permissions UI, check the tool’s updated schema and confirm the permission.