> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hops.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Agent permissions

> Control what your agents can access and what they need your approval to do.

Permissions define what an agent is allowed to do, and what it must stop and ask you about first. They're how you keep your agents useful without giving them unchecked access.

## Two types of permissions

**Read permissions** control what tools and content an agent can access.

**Action permissions** control what an agent can do, and whether it needs human approval first.

## Read permissions

| Permission          | What the agent can access                                                    |
| ------------------- | ---------------------------------------------------------------------------- |
| **Space context**   | Threads, docs, pins, and artifacts in the Spaces it belongs to               |
| **Connected tools** | Apps and data connected to the workspace or directly to this agent           |
| **Specific tools**  | A subset of connected tools (e.g. only the legal folder, not the full drive) |
| **Agent artifacts** | Documents, tables, and reference material uploaded to this agent             |

Restrict read permissions when an agent should only work with a specific domain. A finance agent doesn't need to read your marketing Space.

## Action permissions

| Action                       | Default           | Description                                             |
| ---------------------------- | ----------------- | ------------------------------------------------------- |
| **Draft and summarize**      | Allowed           | Writing, summarizing, and researching (internal only)   |
| **Create artifacts**         | Allowed           | Documents, tables, images saved in the Space            |
| **Send messages in threads** | Allowed           | Responding in a Space thread                            |
| **Update records**           | Requires approval | CRM updates, task changes, doc edits in connected tools |
| **Send externally**          | Requires approval | Emails, messages, or content sent outside Hops          |
| **Access new tools**         | Requires approval | Connecting to a tool the agent hasn't accessed before   |

## Setting permissions

You set permissions when you [create a custom agent](/agents/create-an-agent). You can adjust them later as your team's needs evolve.

## What happens when approval is required

When an agent reaches an action that requires approval, it stops and shows you exactly what it wants to do and what it would use to do it. You can:

* **Approve** and the agent proceeds
* **Revise** and the agent adjusts the action before doing it
* **Decline** and the agent stops and explains what it couldn't do

Nothing is sent or updated without your explicit go-ahead.

<Note>
  Actions that require approval are never batched. Each one is presented individually so you know exactly what you're approving.
</Note>

## Best practices

* **Start restrictive, expand as trust builds.** It's easier to add permissions than to recover from an unwanted action.
* **Require approval for anything external.** An agent that can send emails without approval is a liability, not a feature.
* **Scope read access to the role.** An agent that can only see its relevant tools gives more accurate, less confused responses.

## Related

* [Create an agent](/agents/create-an-agent)
* [Agent instructions](/agents/agent-instructions)
* [Connections](/connections/overview)


## Related topics

- [Custom agents](/docs/agents/custom-agents.md)
- [Create an agent](/docs/agents/create-an-agent.md)
- [Connections overview](/docs/connections/overview.md)
- [Automations](/docs/agents/automations.md)
- [HR & people ops](/docs/teams/hr-people-ops.md)
