Tool Permission Systems: Fine-Grained Access Control for Agent Capabilities

Why Agents Need Permission Systems

AI agents are only as dangerous as the tools they can access. An agent with unrestricted access to a database tool can drop tables. An agent with unrestricted email access can send messages to anyone. The principle of least privilege is not optional in agentic systems — it is the foundation of safe deployment.

Unlike traditional applications where permissions are checked at API boundaries, agent tool invocations happen inside an LLM reasoning loop. The agent decides which tools to call based on natural language reasoning, making it essential to enforce permissions at the tool execution layer rather than relying on the LLM to self-regulate.

Permission Model Design

A well-designed permission model for agents maps three dimensions: who (agent identity), what (tool and parameters), and when (context and conditions). Start with a declarative policy structure:

from dataclasses import dataclass, field
from enum import Enum
from typing import Any


class PermissionEffect(Enum):
    ALLOW = "allow"
    DENY = "deny"


@dataclass
class ToolPermission:
    """A single permission rule for tool access."""
    tool_name: str
    effect: PermissionEffect
    allowed_parameters: dict[str, Any] = field(default_factory=dict)
    conditions: dict[str, Any] = field(default_factory=dict)
    max_calls_per_session: int | None = None
    requires_approval: bool = False


@dataclass
class AgentRole:
    """Role-based grouping of permissions."""
    name: str
    permissions: list[ToolPermission]
    inherit_from: list[str] = field(default_factory=list)


# Define roles with specific tool access
readonly_role = AgentRole(
    name="readonly_agent",
    permissions=[
        ToolPermission(
            tool_name="database_query",
            effect=PermissionEffect.ALLOW,
            allowed_parameters={"operation": ["SELECT"]},
            max_calls_per_session=100,
        ),
        ToolPermission(
            tool_name="database_query",
            effect=PermissionEffect.DENY,
            allowed_parameters={"operation": ["INSERT", "UPDATE", "DELETE", "DROP"]},
        ),
        ToolPermission(
            tool_name="file_read",
            effect=PermissionEffect.ALLOW,
            conditions={"path_prefix": "/data/public/"},
        ),
    ],
)

Building a Policy Engine

The policy engine evaluates each tool call against the agent's assigned permissions. Use an explicit deny-first approach where any matching DENY rule takes precedence over ALLOW rules:

from datetime import datetime


class PolicyEngine:
    """Evaluates tool call requests against agent permissions."""

    def __init__(self):
        self.roles: dict[str, AgentRole] = {}
        self.call_counts: dict[str, dict[str, int]] = {}
        self.audit_log: list[dict] = []

    def register_role(self, role: AgentRole) -> None:
        self.roles[role.name] = role

    def evaluate(
        self,
        agent_id: str,
        role_name: str,
        tool_name: str,
        parameters: dict[str, Any],
        session_id: str,
    ) -> tuple[bool, str]:
        """Evaluate whether a tool call is permitted.
        Returns (allowed, reason)."""
        role = self.roles.get(role_name)
        if role is None:
            self._audit(agent_id, tool_name, parameters, False, "Unknown role")
            return False, f"Role '{role_name}' not found"

        all_permissions = self._resolve_permissions(role)

        # Check DENY rules first (explicit deny always wins)
        for perm in all_permissions:
            if perm.tool_name == tool_name and perm.effect == PermissionEffect.DENY:
                if self._parameters_match(perm.allowed_parameters, parameters):
                    reason = f"Denied by explicit rule on {tool_name}"
                    self._audit(agent_id, tool_name, parameters, False, reason)
                    return False, reason

        # Check ALLOW rules
        for perm in all_permissions:
            if perm.tool_name == tool_name and perm.effect == PermissionEffect.ALLOW:
                if not self._parameters_match(perm.allowed_parameters, parameters):
                    continue

                if not self._conditions_met(perm.conditions, parameters):
                    continue

                # Check rate limits
                if perm.max_calls_per_session is not None:
                    count = self._get_call_count(session_id, tool_name)
                    if count >= perm.max_calls_per_session:
                        reason = f"Rate limit exceeded ({count}/{perm.max_calls_per_session})"
                        self._audit(agent_id, tool_name, parameters, False, reason)
                        return False, reason

                self._increment_call_count(session_id, tool_name)
                self._audit(agent_id, tool_name, parameters, True, "Allowed")
                return True, "Allowed"

        reason = f"No matching ALLOW rule for {tool_name}"
        self._audit(agent_id, tool_name, parameters, False, reason)
        return False, reason

    def _resolve_permissions(self, role: AgentRole) -> list[ToolPermission]:
        permissions = list(role.permissions)
        for parent_name in role.inherit_from:
            parent = self.roles.get(parent_name)
            if parent:
                permissions.extend(self._resolve_permissions(parent))
        return permissions

    def _parameters_match(self, allowed: dict, actual: dict) -> bool:
        for key, allowed_values in allowed.items():
            if key in actual and actual[key] not in allowed_values:
                return False
        return True

    def _conditions_met(self, conditions: dict, params: dict) -> bool:
        if "path_prefix" in conditions:
            path = params.get("path", "")
            if not path.startswith(conditions["path_prefix"]):
                return False
        return True

    def _get_call_count(self, session_id: str, tool_name: str) -> int:
        return self.call_counts.get(session_id, {}).get(tool_name, 0)

    def _increment_call_count(self, session_id: str, tool_name: str) -> None:
        self.call_counts.setdefault(session_id, {})
        self.call_counts[session_id][tool_name] = (
            self.call_counts[session_id].get(tool_name, 0) + 1
        )

    def _audit(
        self, agent_id: str, tool: str, params: dict, allowed: bool, reason: str
    ) -> None:
        self.audit_log.append({
            "timestamp": datetime.utcnow().isoformat(),
            "agent_id": agent_id,
            "tool": tool,
            "parameters": params,
            "allowed": allowed,
            "reason": reason,
        })

Dynamic Permissions and Human-in-the-Loop

Some operations should require runtime approval. Implement a dynamic permission system where high-risk tool calls pause execution and wait for human confirmation:

import asyncio


class ApprovalGate:
    """Pauses agent execution pending human approval for sensitive tools."""

    def __init__(self):
        self.pending: dict[str, asyncio.Future] = {}

    async def request_approval(
        self, agent_id: str, tool_name: str, parameters: dict
    ) -> bool:
        request_id = f"{agent_id}:{tool_name}:{id(parameters)}"
        loop = asyncio.get_event_loop()
        future = loop.create_future()
        self.pending[request_id] = future

        # In production, send notification to Slack, email, or dashboard
        print(f"APPROVAL REQUIRED: Agent {agent_id} wants to call "
              f"{tool_name} with {parameters}")

        # Wait for human decision (with timeout)
        try:
            approved = await asyncio.wait_for(future, timeout=300)
        except asyncio.TimeoutError:
            approved = False  # Default deny on timeout

        del self.pending[request_id]
        return approved

    def approve(self, request_id: str) -> None:
        if request_id in self.pending:
            self.pending[request_id].set_result(True)

    def deny(self, request_id: str) -> None:
        if request_id in self.pending:
            self.pending[request_id].set_result(False)

FAQ

Should every tool call go through the permission engine?

Yes. Even seemingly harmless read-only tools should be checked because information leakage is an attack vector. A read-only agent that can access customer PII without restrictions is still a security risk. The performance overhead of permission checks is negligible compared to LLM inference time.

How do you handle permission inheritance across agent hierarchies?

Use role inheritance where child roles inherit parent permissions but can override them with more restrictive rules. Follow the principle that child agents should never have more permissions than their parent. Implement this by resolving the full permission chain and applying deny-first evaluation.

What happens when the LLM hallucinates a tool call that does not exist?

The permission engine should reject any tool call where the tool name is not registered. This is a natural side effect of the allowlist approach — only explicitly permitted tools can be executed. Log these attempts because frequent hallucinated tool calls may indicate prompt issues.

---

#AccessControl #AISecurity #ToolPermissions #RBAC #AgentArchitecture #AgenticAI #LearnAI #AIEngineering