/pattern/permission-scoped-tools/

04 · ProductionTool IntegrationScoped ToolsPermissioned ToolsLeast-Privilege Tools

Permission-scoped Tools.
Each tool carries the smallest permission set that lets it work.

Each tool is provisioned with the minimal permissions its use requires, scoped per agent, task, or run — so the credential a tool call carries, not merely which tools exist, bounds what a compromised or misdirected call can reach.

In practiceA document-processing agent is provisioned with read-only S3 access for the specific input bucket, so even if it calls a delete method the IAM scope denies the action.

Without itWithout scoped permissions, a compromised or misdirected tool call can reach systems it never needed, amplifying a single prompt injection into a broad data breach. See the anti-pattern →

When to reach for it

  • Tools execute sensitive actions.
  • Agents require varying access levels.
  • Compliance or auditability is relevant.

When it backfires

  • All actions are read-only and non-critical.
  • Permissions cannot be cleanly modelled.
  • Excessive fragmentation degrades usability.

The tradeoff

Enhanced security is gained against higher administration overhead.

The effect

What it actually does.

A tool call runs only within its granted scope.

tool callscope checkpermitteddenied
Pitfalls

Two ways this pattern will hurt you.

Scopes drift into 'admin' over time

Every time a task fails on a permission boundary, the easy fix is to broaden the scope. After three quarters every tool runs with admin and the original principle is gone.

Fix · Treat permission widening as an architectural change, not a bug fix. Require a reviewer when a scope grows; record the justification in the audit trail.

The scope lives in the prompt, not the credential

The agent is instructed not to call the delete method, but the token it holds still permits it. A prompt injection ignores the instruction and the platform happily executes the call.

Fix · Enforce scope at the credential / IAM layer so the action is denied at the boundary; never treat a prompt instruction as a security control.

Framework support

Where Permission-scoped Tools is native.

OpenAI Agents SDKper-agent toolsNative
Microsoft Agent Frameworkscoped toolsNative
Google ADKscoped tool accessNative
AWS StrandsIAM-scoped toolsNative
LangGraphper-node toolsNative

Search

Search patterns, frameworks, and pages.