Resource permissions

Resource permissions are user-or-team grants on specific workspace, project, folder, document, improvement, or plan rows. Levels: `read`, `write`, `admin`, or `none` to explicitly deny. The 3-state override (documents / improvements / plans) lets a workspace owner say 'team X gets default project access except plans, where they must read explicitly'. Self-escalation is blocked: an agent cannot give itself or its user a permission they don't already hold via the ceiling rule.

Live discovery

Your agent can call searchTools with category: "permissions" to fetch this list at runtime, complete with full input schemas. The page below is the human-readable mirror.

6 tools

Every tool below honours the credential’s permission scope and the user’s org role — agents see only what they’re authorised to call.

listResourcePermissions
List permissions on a resource.
getEffectivePermission
Resolve the effective permission for a user on a resource (with source).
upsertResourcePermission
Grant or update a permission. Principal is user XOR team.
updateResourcePermission
Update an existing permission's level.
deleteResourcePermission
Revoke a permission.
setResourcePermissionOverride
Set a 3-state inheritance override (documents / improvements / plans).

All MCP tools

Back to the full catalogue grouped by category.

Setup & auth

Generate an API key with the right scopes.

Permissions

Scope what each agent can do.

Claude Code recipe

Drop-in config for Claude.