Create a policy
Define which agents can access which tools
Policies control what your agents are allowed to do. Without any rules, all requests are denied by default.
New organizations start with a default Allow all rule so agents work out of the box. Edit or delete it once you're ready to lock things down.

Add a rule
To create a rule of your own:
- Navigate to Policies in the dashboard
- Click Add Rule
- Enter a name that describes what the rule does
- Choose the effect — Allow, Deny, or Gated (allow only when a condition holds)
- Set the scope to target specific resources, agents, users, or groups — leave it empty to match everything
- Set tool patterns to choose which tools the rule covers —
*matches all tools, or use wildcards likesend_* - Set the status to Active to start enforcing it
- Click Create
New rules are added at the top of the table, so they take precedence over the default Allow all rule below them.

How rules work
Rules are evaluated top-to-bottom — the first match wins. If no rule matches, the request is denied.
- Allow rules permit the tool call
- Deny rules block it
- Drag rules in the table to reorder them
Put more specific rules above more general ones. For example, a deny rule for delete_* at position 1 blocks deletes even if an allow-all rule exists below it.
Next steps
Once you have basic access working, you can refine your policies with:
- Scope — restrict rules to specific resources, agents, or instances — or match them by tag
- Tool patterns — use wildcards like
send_*orlist_*to match groups of tools - Conditions — add CEL expressions for dynamic logic (for example,
agent.slug == "claude-code") - Argument-level conditions — gate on the live tool-call payload via
request.args.*(for example, only allowsend_messagewhenrequest.args.channel_id == "C_GENERAL") - Impact preview — see which tools and agents a rule affects before saving
See the full policies guide for details, including the use-case catalog for argument-level conditions.

