Skip to main content

Policy Actions

Tollgate uses a policy-based access control model. Each tool call is evaluated against policies to determine the appropriate action.

Actions

ActionBehaviorUse Case
allowProceed without approvalTrusted, read-only operations
denyBlock entirelyDangerous or disallowed operations
promptAsk user for approvalOperations requiring human review

allow

The tool call proceeds immediately without user interaction. 
tools:
  "query":
    action: allow
Best for:
  • Read-only operations
  • Well-understood, safe tools
  • High-frequency operations where prompts would be disruptive

deny

The tool call is blocked and an error is returned to the AI agent. 
tools:
  "delete_*":
    action: deny
    reason: "Deletion is not permitted"
Best for:
  • Destructive operations like DELETE, DROP, TRUNCATE
  • Administrative commands
  • Operations outside the agent’s scope

prompt

The user is asked to approve or reject the tool call in the terminal. 
tools:
  "execute":
    action: prompt
    message: "Agent wants to execute SQL"
Best for:
  • Write operations
  • Sensitive data access
  • Any operation where human judgment is valuable

Policy Matching

Policies are matched using glob patterns: 
tools:
  # Exact match
  "query":
    action: allow

  # Prefix match
  "read_*":
    action: allow

  # Suffix match
  "*_dangerous":
    action: deny

  # Catch-all (should always be last)
  "*":
    action: prompt

Match Priority

Policies are evaluated in order. The first matching policy wins: 
tools:
  "read_file":     # Matches first for 'read_file'
    action: allow
  "read_*":        # Matches for other 'read_' tools
    action: prompt
  "*":             # Catches everything else
    action: deny

Smart Policies with Analyzers

For content-aware decisions, use analyzers: 
tools:
  "execute":
    analyzer: sql
    risks:
      read: allow
      write: prompt
      destructive: deny
      dangerous: deny
The analyzer inspects the tool’s arguments and classifies the risk level. Learn more about analyzers →

Session-Based Approvals

Reduce approval fatigue with session grants: 
tools:
  "write_file":
    action: prompt
    session:
      enabled: true
      duration: "15m"
      scope: "tool"
When a user approves, subsequent identical requests are auto-approved for the session duration. Learn more about sessions →

Example Configurations

Strict (Maximum Security)

defaults:
  action: deny

servers:
  postgres:
    tools:
      "query":
        action: prompt
      "*":
        action: deny

defaults:
  action: prompt

servers:
  postgres:
    tools:
      "query":
        action: allow
      "execute":
        analyzer: sql
        risks:
          read: allow
          write: prompt
          destructive: deny
          dangerous: deny
      "*":
        action: deny

Permissive (Development Only)

defaults:
  action: allow

servers:
  postgres:
    tools:
      "*":
        action: allow
[!CAUTION] Permissive policies should only be used in development environments with non-sensitive data.