Overview
Permissions grant specific actions on resource types. Administrators assign permissions to roles and roles to teams. Users inherit permissions through their team memberships. You can scope permissions to all resources of a given type or to specific resources. Not all permissions support both scopes. See the Scope column in each table for details. Use this reference when defining roles or auditing access.Agent permissions
Administrators can assign the following agent permissions to roles.| Permission | Scope | Description |
|---|---|---|
| Auto Approve Commands | All | Allows users to enable automatic execution of tool calls generated by agents. With this permission, users can enable Execute commands without asking in the IDE or use the --unsafe-auto-allow flag in the pool CLI. When users turn this on, tool calls run without approval prompts. Deny rules in settings.yaml still take precedence and block matching actions. This permission is off by default. Use it with caution. |
| Create Agent | All | Allows users to create new agent definitions, but not edit them after creation. |
| Manage Agents | All, Specific | Allows users to update or delete existing agents, run agent sessions, and view session history and trajectories. |
| Use Agents | All, Specific | Allows users to run agent sessions and interact with the model. |
| Set Default Agent | All | Allows users to designate a default agent for the organization. Poolside uses the default agent when a user has not selected a specific agent in the IDE. Users can switch agents at any time, and their selection overrides the default. |
| View Agent Sessions | All, Specific | Allows users to view the history and trajectories of agent runs. |
Knowledge base permissions
Administrators can assign the following knowledge base permissions to roles.| Permission | Scope | Description |
|---|---|---|
| Create Knowledge Bases | All | Allows users to create new knowledge bases, but not edit them after creation. |
| Manage Knowledge Bases | All, Specific | Allows users to update or delete existing knowledge bases. |
| Use Knowledge Bases | All, Specific | Allows users to query and retrieve information from existing knowledge bases. |
MCP server permissions
Administrators can assign the following MCP server permissions to roles.| Permission | Scope | Description |
|---|---|---|
| Create MCP Servers | All | Allows users to create new MCP server configurations, but not edit them after creation. |
| Manage MCP Servers | All, Specific | Allows users to update or delete existing MCP server configurations. |
| Use MCP Servers | All, Specific | Allows users to invoke tools exposed by MCP servers. |
Sandbox definition permissions
Administrators can assign the following sandbox definition permissions to roles.| Permission | Scope | Description |
|---|---|---|
| Create Sandbox Definitions | All | Allows users to create new sandbox definitions, but not edit them after creation. |
| Manage Sandbox Definitions | All, Specific | Allows users to update or delete existing sandbox definitions. |
| Use Sandbox Definitions | All, Specific | Allows users to use sandbox definitions when running agents. |