An agent that can edit files and run shell commands is useful and, unmanaged, a little terrifying. Claude Code's permission system is the layer that makes autonomy safe: it decides which actions run freely, which pause for your approval, and which are forbidden outright. The CCA-F exam treats this as core Configuration & Workflows material, and it is one of the least-competitive topics to rank for because most write-ups skip it. This guide covers the rules, the precedence order, and the scenarios the exam builds on them.
The Three Verdicts: Allow, Ask, Deny
Every action an agent attempts is resolved against permission rules into one of three outcomes:
- allow: the action runs without interruption
- ask: the agent pauses and requests your approval before proceeding
- deny: the action is blocked outright, no prompt
Rules target tools and can be scoped narrowly. Bash(npm run test:*) allows a family of test commands; Read(./.env) can be denied to keep secrets out of context; Edit(./src/**) can be allowed while writes elsewhere still ask. The specificity is the point: you grant fast paths for the safe, common actions and reserve friction for the consequential ones.
The mental split versus hooks (covered in the hooks guide): permission rules are declarative allow/ask/deny lists the system evaluates; a PreToolUse hook is a program that can apply arbitrary logic and block with feedback. Use rules for "these commands are fine, these are forbidden"; reach for a hook when the decision needs conditions a static rule cannot express.
Preparing for CCA-F? Practice with 390+ exam questions
Settings Precedence: Who Wins
Permission rules (and every other setting) come from several files, and the exam's hardest Configuration questions turn on which one wins. The precedence, strongest first:
- Enterprise managed policy (organization-deployed): overrides everything, non-negotiable
- Command-line flags for the current invocation
- Local project settings (
.claude/settings.local.json, your personal per-project file, gitignored) - Shared project settings (
.claude/settings.json, committed to the repo) - User settings (
~/.claude/settings.json, your global defaults)
More specific and higher-authority sources override broader ones. Two consequences the exam tests:
- A
denyin enterprise policy cannot be undone by a project or user setting. Security boundaries set by the org hold no matter what a repo's config says. - Shared vs local project settings is the collaboration distinction:
settings.jsonis committed so the whole team inherits it;settings.local.jsonis your personal overrides that stay out of git. Putting a personal convenience allow-rule in the shared file (and pushing it) is the kind of mistake a scenario question is built around.
Master These Concepts with Practice
Our CCA-F practice bundle includes:
- 6 full practice exams (390+ questions)
- Detailed explanations for every answer
- Domain-by-domain performance tracking
30-day money-back guarantee
Permission Modes
Beyond individual rules, Claude Code runs in a permission mode that sets the baseline posture:
| Mode | Behavior | Fits |
|---|---|---|
| Default | Ask for consequential actions per the rules | Everyday interactive work |
| Plan mode | Read and analyze only; no edits or commands | Investigation, review, "show me the plan first" |
| Auto-accept edits | File edits proceed without prompting | Trusted, fast iteration on a scoped task |
| Bypass permissions | Skip prompts entirely | Sandboxed automation only; dangerous elsewhere |
Mode and rules compose: even in a permissive mode, a deny rule still blocks. Plan mode is a frequent exam answer for "how do you let the agent investigate a sensitive system without risking changes" because it removes the capability rather than trusting the agent to abstain.
The Security Scenarios the Exam Builds
Representative shapes, all resolvable from the rules above:
- "The agent must never read
.envorsecrets/." Adenyon those paths; the safest place is enterprise or shared project settings so it is not one careless local override away from disappearing. - "Let the agent run tests freely but confirm before installs."
allowthe test command family,askonnpm install. - "A junior wants to loosen a security rule the company set." They cannot; enterprise policy outranks project and user settings. This is the exam testing whether you know the precedence direction.
- "Investigate a production incident with zero risk of mutation." Plan mode: capability removed, not merely discouraged.
- "Autonomous CI job editing files unattended." Auto-accept or bypass, but only because it runs sandboxed; the same setting on a dev laptop is the wrong answer.
The through-line the exam rewards: security is layered. Untrusted content can prompt-inject an agent's reasoning, but it cannot rewrite a deny rule or forge an enterprise policy. Hard boundaries belong in the permission and hook layers, not in advisory prose that a clever injection can talk around. This is the same principle the context and reliability material builds on.
Re-scope an over-powered agent to least privilege
Permissions in practice: take a tool-wielding agent with too much reach and constrain it to exactly what it needs, then confirm the excess access is gone.
Key Takeaways
- Every action resolves to allow, ask, or deny; scope rules narrowly to tools and paths
- Precedence, strongest first: enterprise policy > CLI flags > local project > shared project > user settings
- Enterprise
denyrules are absolute; project and user configs cannot override org security settings.json(shared, committed) vssettings.local.json(personal, gitignored) is the team-vs-you split- Permission modes set the baseline; plan mode removes edit capability entirely for safe investigation
- Hard boundaries live in permissions and hooks, never in advisory instructions
The Claude Code course makes you the permission system in a Level 5 interactive resolver, and Preporato's CCA-F practice tests drill precedence and permission scenarios across 390 explained questions.
Sources:
Last updated: July 10, 2026
Ready to Pass the CCA-F Exam?
Join thousands who passed with Preporato practice tests
