How does permission resolution work?

oakallow uses a 12-level resolution chain to determine the permission for any tool execution. The chain evaluates from most specific to least specific:

Tenant-scoped rules (if a tenant is specified):

• Tenant + resource + tool + method
• Tenant + resource + tool
• Tenant + tool + method
• Tenant + tool
• Tenant + resource + method
• Tenant + resource
• Tenant + method
• Tenant wildcard

Org-scoped rules (same 8 levels without tenant):

• Org + resource + tool + method through org wildcard

Fallbacks:

• Tool default permission
• Category default permission
• Tool approved status (if approved and no rules match, defaults to allowed)
• Fail-safe: requires_approval

The first match wins. If nothing matches and the tool is not pre-approved, the fail-safe is always "requires approval." Permission resolution happens at the edge via Cloudflare Workers for sub-millisecond decisions.

Related questions in Permissions & Approvals

• →What are the three permission levels?
• →How do approval workflows work?
• →How do approval webhooks work?
• →Can I automatically approve tool executions?

Browse other topics