Governance
Permissions
Which role can run which tool action. Every cell is a live Cedar decision from the policies the agent enforces, evaluated through agent-shield, not a hand-drawn grid.
| Tool action | SupportLead | Engineer |
|---|---|---|
| zendesk · Ticket | ||
| listTickets | 01 | — |
| getTicket | 01 | — |
| replyInternal | 01 | — |
| closeTicket | 01 | — |
| replyPublic | 08 | — |
| deleteUser | 06 | 06 |
| notion · KBPage | ||
| search | 02 | — |
| getPage | 02 | — |
| hubspot · Account | ||
| getAccount | 03 | — |
| listContacts | 03 | — |
| deleteAccount | 06 | 06 |
| github · Repo | ||
| createIssue | — | 04 |
| updateIssue | — | 04 |
| listProjects | — | 04 |
allowconditional: permitted only when the policy condition holdsdenynumber = deciding policy · hover a cell for the ASI mapping