> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xpander.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions and Access

> Control what an agent can do and who can use it.

Permissions and Access define the boundaries around a custom agent.

They let teams give agents useful autonomy while keeping important actions visible and controlled.

<Frame caption="Permissions and access controls define what an agent can do automatically, when it should ask first, and who can use it.">
  <img src="https://mintcdn.com/xpanderai-099931d1/ZExbmT2Yknjn6o_V/images/image-59.png?fit=max&auto=format&n=ZExbmT2Yknjn6o_V&q=85&s=8f910ab05fc249c62332a5811d06070f" alt="Tool permissions and access controls for a custom agent" width="3000" height="1506" data-path="images/image-59.png" />
</Frame>

## Tool permissions

Tool permissions decide when an agent can use tools automatically and when it should ask first.

A common pattern is:

* Let low-risk tools run automatically
* Ask before sending messages, changing records, or taking external action
* Restrict sensitive tools to specific users or workflows

<Frame caption="Set which tools run automatically and which require approval.">
  <img src="https://mintcdn.com/xpanderai-099931d1/ZExbmT2Yknjn6o_V/images/image-72.png?fit=max&auto=format&n=ZExbmT2Yknjn6o_V&q=85&s=20bee4591f96b28132170b82e06cef94" alt="Tool permission controls for a custom agent" width="796" height="784" data-path="images/image-72.png" />
</Frame>

## Ask-before-running behavior

Ask-before-running behavior gives users a moment to approve important actions.

For example, a Stock & IPO Monitor might search the web automatically, but ask before sending an email to a broad audience.

## Org-wide and managed access

Access controls who can use the agent. Make it org-wide when the agent is broadly useful and safe for teammates to discover, or manage access to limit it to specific users or groups for agents that touch sensitive workflows across finance, legal, HR, security, data, or customer operations.

<Frame caption="Set an agent to org-wide access or limit it to specific users and groups.">
  <img src="https://mintcdn.com/xpanderai-099931d1/ZExbmT2Yknjn6o_V/images/image-71.png?fit=max&auto=format&n=ZExbmT2Yknjn6o_V&q=85&s=518a8020c5097788a9a11e1edaa7fb23" alt="Org-wide and managed access controls" width="714" height="220" data-path="images/image-71.png" />
</Frame>
