Safe Claude Code Onboarding Workflow for Development Teams
A safe Claude Code onboarding workflow for development teams starts with a project-level .claude/settings.json file that explicitly allows only the tools new developers need and denies access to secrets files and dangerous commands. Combining deny rules, allow rules, and the right permission mode gives teams automation speed without accidental credential exposure. The result: junior developers get the productivity benefits of AI-assisted coding immediately, while the blast radius of any mistake is contained by configuration, not by trust.
What Is the Claude Code Permissions System and Why Does It Matter for Onboarding?
Claude Code's permissions and tool allowlists form a security gateway that controls which tools Claude can use automatically, which require explicit human approval, and which are blocked outright. Without it, every file write and shell command requires manual approval — which defeats the purpose of automation. With it, you can define precise safe corridors so Claude works quickly on permitted tasks while dangerous operations are caught automatically before execution.
For onboarding, this matters enormously. A new hire using Claude Code without any permission configuration could accidentally expose .env files, trigger unreviewed package installs, or run shell commands that touch production infrastructure. A well-crafted settings.json checked into the repository means every developer who clones the project inherits the same guardrails automatically.
The system evaluates rules in a strict hierarchy: deny rules fire first and block unconditionally, then allow rules grant silent auto-approval, and anything not matched either prompts the user or is blocked depending on the active permission mode. This means you can always trust that a deny rule will hold, regardless of what allow rules exist.
Learn more in the official Claude Code security and permissions documentation.
How Do You Set Up a Safe Onboarding Configuration Step by Step?
The following workflow is designed for a team lead preparing a repository for a new hire. It takes about ten minutes and produces a configuration that is version-controlled, auditable, and easy to extend.
- Create
.claude/settings.jsonin your project root. This is the project-level settings file. It takes precedence over any global user settings, so your team's rules win. - Add a
permissionsobject withallowanddenyarrays. Each entry is a tool-name string, optionally with a parenthesized argument pattern — for example,Bash(npm run test)orRead(./.env). - Populate the deny array first. List anything that must never execute: reads of
.envfiles, secrets directories, SSH keys, and any shell commands that touch external APIs or infrastructure. - Populate the allow array with exactly the commands new developers need. Be specific:
Bash(npm run lint),Bash(npm run test *),Bash(npm run build)rather than a broad wildcard. - Save and commit the file. Claude Code reads it at session start and merges it with global settings, with project-level rules taking precedence.
- Run
/permissionsin the Claude Code terminal to view the active merged rule set and verify that your deny rules are in effect before handing off to the new hire. - Brief the new hire on permission modes. For their first sessions, the default mode (which prompts before most tool uses) is the safest starting point. As they build familiarity, they can move to
acceptEditsmode for faster file-editing workflows.
What Does a Real Onboarding Configuration Look Like?
Here is a concrete example for a JavaScript project. The goal: allow Claude to run linters and tests automatically, but block any reads of credential files and any package installation commands.
{
"permissions": {
"allow": [
"Bash(npm run lint)",
"Bash(npm run test *)",
"Bash(npm run build)"
],
"deny": [
"Read(./.env)",
"Read(./.env.*)",
"Read(./secrets/**)",
"Bash(npm install)",
"Bash(npm install *)",
"Bash(npm uninstall *)"
]
}
}
With this configuration in place, Claude runs npm run test automatically without prompting, reports failing tests, and fixes code — but if it ever attempts to read .env or install a package, it is blocked and informs the developer that the action requires manual approval. This is the most common beginner security mistake caught automatically.
For the full settings reference, see the Claude Code settings documentation.
Which Permission Mode Should New Developers Start With?
Permission modes set the overall posture of a Claude Code session. There are four:
- default — asks before most tool uses. Best for new developers who want full visibility into what Claude is doing.
- acceptEdits — silently approves file read/write operations but still prompts for shell commands. Good for developers doing large refactors once they trust the file-level rules.
- bypassPermissions — silently approves everything (deny rules still fire). Reserve this for fully isolated CI containers, not human developer sessions.
- dontAsk — prevents all tool execution. Useful for read-only architecture reviews of unfamiliar codebases — it is impossible for Claude to make accidental changes.
For onboarding, the recommended progression is: start in default mode so the new hire sees every action Claude takes and builds intuition, then graduate to acceptEdits once they are comfortable with the allow/deny rules in place.
When Should You Use Global Settings vs. Project Settings?
| Scenario | Use Project .claude/settings.json |
Use Global ~/.claude/settings.json |
|---|---|---|
| Team-wide rules for a specific repo | ✓ Version-controlled, applies to everyone who clones | ✗ Not shared across the team |
| Personal defaults across all projects | ✗ Would need to be duplicated in every repo | ✓ Applies globally, e.g., always block reads of ~/.ssh |
| Blocking secrets files everywhere | ✗ Only covers this project's secrets | ✓ Covers all projects regardless of which repo you open |
| CI/CD pipeline rules | ✓ Checked in with the code, reproducible | ✗ Not available in ephemeral containers |
The practical recommendation for teams: put project-specific allow/deny rules in .claude/settings.json and commit it. Encourage developers to add personal global rules (like blocking their own SSH directory) in their own ~/.claude/settings.json. The two merge additively for URL and environment variable allowlists, with project rules taking precedence for permission allow/deny.
What Are the Most Common Onboarding Mistakes and How Do You Avoid Them?
Wildcard patterns don't match the way you expect
The asterisk in a rule like Bash(npm *) matches a single argument segment — it does not capture all npm subcommands universally. For maximum reliability, list each permitted command explicitly: Bash(npm run lint), Bash(npm run test *), Bash(npm run build) rather than relying on a single wildcard rule. Test each pattern carefully before handing off to a new hire.
Assuming deny rules don't apply in bypassPermissions mode
Deny rules are enforced even in bypassPermissions mode — if a deny rule matches, the tool is blocked. This is a safety guarantee you can rely on. However, bypassPermissions should still be reserved for fully trusted, isolated environments such as locked-down CI containers, not developer laptops.
Using the wrong flag in headless pipelines
One flag triggers an interactive consent dialog on first run — a headless pipeline without a TTY will freeze indefinitely waiting for that confirmation. For CI pipelines, use --permission-mode dontAsk (for read-only analysis) or --permission-mode bypassPermissions (for full autonomous operation) instead, as these suppress the consent dialog entirely.
Forgetting to audit the merged rule set
Global and project settings merge in ways that can surprise you. Always run /permissions in the Claude Code terminal to view the active compiled rule set before a new hire's first session. This shows you exactly what is allowed, what is denied, and what will prompt — no guessing.
Is a Permissions-First Onboarding Workflow Worth the Setup Time?
Yes — and the setup is genuinely lightweight. A settings.json file with a handful of allow and deny rules takes minutes to write and pays dividends every time a developer opens the project. The alternative — relying on new hires to manually approve every Claude action — creates approval fatigue and, paradoxically, leads to less careful review of each prompt.
The use case from the source material captures it well: a team lead wants Claude to help a new hire run linters and tests but prevent accidental reads of .env files or calls to external APIs during pair programming sessions. That scenario is solved entirely by the configuration above, with no ongoing maintenance required.
For enterprise teams, organization-wide ceilings can be configured so that individual role grants cannot exceed those ceilings — giving security teams a top-level control layer above anything individual developers configure. See the Claude Code enterprise deployment guide for details on organization-level settings.
The permissions system is not optional overhead — it is the mechanism that makes Claude Code safe enough to hand to a new hire on day one.
Frequently asked questions
What is the safest Claude Code permission mode for a new developer's first session?
The default permission mode is the safest starting point for new developers. It asks before most tool uses, giving the developer full visibility into every action Claude takes. Once they are comfortable with the allow/deny rules in place, they can graduate to acceptEdits mode for faster file-editing workflows.
How do deny rules interact with allow rules in Claude Code?
Deny rules take precedence over allow rules — they fire first and block unconditionally. This means if a tool action matches both a deny rule and an allow rule, the deny rule wins. You can always trust that a deny rule will hold regardless of what allow rules exist.
Can I check what permissions are currently active in a Claude Code session?
Yes. Run /permissions in the Claude Code terminal to view the active merged rule set. This shows you exactly what is allowed, what is denied, and what will prompt — accounting for both global and project-level settings files.
Should I use bypassPermissions mode for developer onboarding?
No. bypassPermissions silently approves everything (except explicit deny rules) and is designed for fully isolated CI containers where no human is present. For developer onboarding, use default mode so new hires can see every action Claude takes and build intuition about the tool.
How do project-level and global settings files interact?
Project-level .claude/settings.json rules take precedence over global ~/.claude/settings.json rules for permission allow/deny. URL allowlists and environment variable allowlists merge additively across both files. Run /permissions to see the final compiled rule set.
What is the right way to block secrets files like .env from Claude Code?
Add deny rules to your .claude/settings.json for each secrets file pattern — for example, Read(./.env), Read(./.env.*), and Read(./secrets/**). Deny rules fire before allow rules and block unconditionally, so these files will never be read even if a broad allow rule exists.
Permissions & tool allowlists is one of 85 features in Claude Master — the independent, always-current manual with worked examples, the pitfalls, and the workflows that make Claude pay.
Get Claude Master — founding price →Independent product. Not affiliated with or endorsed by Anthropic. "Claude" is a trademark of Anthropic, used here only to describe the subject of this guide.