Skip to main content

Permissions

Two questions decide what happens when an agent works: who is using it, and what is the agent allowed to do on its own. OtoDock answers the first with roles and the second with permission modes — and pauses for your approval whenever something needs a human in the loop.

Roles: who can do what

Access is granted per agent. Each person assigned to an agent gets one of three roles:

RoleCan do
ViewerChat with the agent, work in their own private space, and read the agent's shared files.
EditorEverything a viewer can, plus edit the agent's shared workspace.
ManagerFull control — shape the agent's persona, knowledge, tools, and settings.

The dividing line is deliberate: editors collaborate on work, but only managers change the agent's behavior. These per-agent roles sit under your platform role (admin, creator, or member), which governs the install as a whole.

→ See Users & Access for the full picture, including SSO and login security.

Permission modes: how much an agent does on its own

Every chat runs in a permission mode you choose from the dashboard. It decides which actions go through automatically and which pause to ask you first:

ModeBehavior
DefaultThe agent reads and explores freely, but pauses for approval before editing files, running anything beyond simple commands, or using a tool.
Accept editsFile edits and routine commands go through automatically; riskier actions still ask.
Don't askThe agent runs autonomously without pausing.
Plan (Claude Code only)Read-only. The agent investigates and proposes a plan, changing nothing until you approve it.

You can switch modes mid-conversation. When the agent hits something that needs approval, it pauses and you click Allow or Deny right in the chat.

Plan mode is specific to Claude Code — it engages Claude Code's own built-in plan mode, so it isn't offered for Codex or the direct engine.

note

Scheduled tasks run autonomously by design — there's no one watching a chat to approve each step. Their access is bounded by the agent's sandbox and role, not by live prompts.

Command safety

When an agent runs shell commands, OtoDock classifies each one and applies sensible guardrails on top of the mode:

  • Routine commands (listing files, reading, searching) go through smoothly.
  • Destructive commands (deleting files, wiping data) pause for approval even in "accept edits" mode — so a mistake can't slip through. In don't ask mode you've chosen full autonomy, and they run without pausing.
  • Truly dangerous commands (wiping a disk, a fork bomb, reading system password files) are always blocked, in every mode and for every role. There's no way to approve them.
  • Host-level commands (managing system services, the container runtime, package installs) are reserved for administrators on the server.

Whatever a command does, it's still confined to the agent's sandbox — so even a command that runs can only touch what the agent was already allowed to touch.

Next steps