/DOCS

Search

⌘K

Help

/DOCS

Search

⌘K

Help

/DOCS

Help

Setting Up Policies

Simple policies (recommended)

The simplest way to govern your OpenClaw agents is with simple policies — set each tool category to Allow, Ask, or Deny.

Via the dashboard

  1. Open the client dashboard at http://0.0.0.0:3000

  2. Navigate to Policies

  3. The Simple Policy tab shows all categories

  4. Click to set each category: Allow, Ask, or Deny

  5. Click Save Policy

Via the CLI

# View current policy
faramesh policy show

# Set a category
faramesh policy set bash ask
faramesh policy set filesystem allow
faramesh policy set browser allow
faramesh policy set network allow
faramesh policy set canvas allow
faramesh policy set other deny

# Set for a specific agent
faramesh policy set bash deny --agent-id


# View current policy
faramesh policy show

# Set a category
faramesh policy set bash ask
faramesh policy set filesystem allow
faramesh policy set browser allow
faramesh policy set network allow
faramesh policy set canvas allow
faramesh policy set other deny

# Set for a specific agent
faramesh policy set bash deny --agent-id


# View current policy
faramesh policy show

# Set a category
faramesh policy set bash ask
faramesh policy set filesystem allow
faramesh policy set browser allow
faramesh policy set network allow
faramesh policy set canvas allow
faramesh policy set other deny

# Set for a specific agent
faramesh policy set bash deny --agent-id

Via the API

# Get current simple policy
curl http://127.0.0.1:8000/v1/policies/simple

# Update simple policy
curl -X PUT http://127.0.0.1:8000/v1/policies/simple \
  -H "Content-Type: application/json" \
  -d '{"categories": {"bash": "ask", "filesystem": "allow", "browser": "allow", "network": "allow", "canvas": "allow", "other": "ask"}}'

# Reset to defaults
curl -X


# Get current simple policy
curl http://127.0.0.1:8000/v1/policies/simple

# Update simple policy
curl -X PUT http://127.0.0.1:8000/v1/policies/simple \
  -H "Content-Type: application/json" \
  -d '{"categories": {"bash": "ask", "filesystem": "allow", "browser": "allow", "network": "allow", "canvas": "allow", "other": "ask"}}'

# Reset to defaults
curl -X


# Get current simple policy
curl http://127.0.0.1:8000/v1/policies/simple

# Update simple policy
curl -X PUT http://127.0.0.1:8000/v1/policies/simple \
  -H "Content-Type: application/json" \
  -d '{"categories": {"bash": "ask", "filesystem": "allow", "browser": "allow", "network": "allow", "canvas": "allow", "other": "ask"}}'

# Reset to defaults
curl -X

Default policy

The default simple policy is:

Category

Default

Bash

Ask

File System

Ask

Browser

Allow

Network

Allow

Canvas

Allow

Other

Ask

Per-agent policies

Each agent can have its own policy. If no agent-specific policy is set, the default (tenant-level) policy is used.

# Set per-agent policy via CLI
faramesh policy set bash deny --agent-id production-agent

# Via API
curl -X PUT http://127.0.0.1:8000/v1/agents/production-agent/policy \
  -H "Content-Type: application/json" \
  -d '{"policy_type": "simple", "simple_policy": {"bash": "deny", "filesystem": "ask", "browser": "allow", "network": "allow", "canvas": "allow", "other": "deny"}}'
# Set per-agent policy via CLI
faramesh policy set bash deny --agent-id production-agent

# Via API
curl -X PUT http://127.0.0.1:8000/v1/agents/production-agent/policy \
  -H "Content-Type: application/json" \
  -d '{"policy_type": "simple", "simple_policy": {"bash": "deny", "filesystem": "ask", "browser": "allow", "network": "allow", "canvas": "allow", "other": "deny"}}'
# Set per-agent policy via CLI
faramesh policy set bash deny --agent-id production-agent

# Via API
curl -X PUT http://127.0.0.1:8000/v1/agents/production-agent/policy \
  -H "Content-Type: application/json" \
  -d '{"policy_type": "simple", "simple_policy": {"bash": "deny", "filesystem": "ask", "browser": "allow", "network": "allow", "canvas": "allow", "other": "deny"}}'


Advanced policies (YAML)

For more complex rules — pattern matching, budget limits, conditional logic — use the Advanced tab in the dashboard or create YAML policy files.

name: OpenClaw Production Policy
description: Strict governance for production agents
rules:
  - match:
      tool: bash
      params:
        command: "rm|shutdown|reboot|drop|delete"
    deny: true
    reason: "Destructive commands are blocked in production"

  - match:
      tool: bash
    require_approval: true
    risk: high
    reason: "Shell commands require approval"

  - match:
      tool: filesystem
      op: write
      params:
        path: ".*\\.env$|.*\\.key$|.*\\.pem$"
    deny: true
    reason: "Cannot write to sensitive files"

  - match:
      tool: filesystem
      op: delete
    require_approval: true
    risk: medium
    reason: "File deletion requires approval"

  - match:
      tool: stripe
      amount_gt: 500
    require_approval: true
    risk: critical

  - match:
      tool: browser
    allow: true
    risk: low

  - match:
      tool: web_fetch
    allow: true
    risk


name: OpenClaw Production Policy
description: Strict governance for production agents
rules:
  - match:
      tool: bash
      params:
        command: "rm|shutdown|reboot|drop|delete"
    deny: true
    reason: "Destructive commands are blocked in production"

  - match:
      tool: bash
    require_approval: true
    risk: high
    reason: "Shell commands require approval"

  - match:
      tool: filesystem
      op: write
      params:
        path: ".*\\.env$|.*\\.key$|.*\\.pem$"
    deny: true
    reason: "Cannot write to sensitive files"

  - match:
      tool: filesystem
      op: delete
    require_approval: true
    risk: medium
    reason: "File deletion requires approval"

  - match:
      tool: stripe
      amount_gt: 500
    require_approval: true
    risk: critical

  - match:
      tool: browser
    allow: true
    risk: low

  - match:
      tool: web_fetch
    allow: true
    risk


name: OpenClaw Production Policy
description: Strict governance for production agents
rules:
  - match:
      tool: bash
      params:
        command: "rm|shutdown|reboot|drop|delete"
    deny: true
    reason: "Destructive commands are blocked in production"

  - match:
      tool: bash
    require_approval: true
    risk: high
    reason: "Shell commands require approval"

  - match:
      tool: filesystem
      op: write
      params:
        path: ".*\\.env$|.*\\.key$|.*\\.pem$"
    deny: true
    reason: "Cannot write to sensitive files"

  - match:
      tool: filesystem
      op: delete
    require_approval: true
    risk: medium
    reason: "File deletion requires approval"

  - match:
      tool: stripe
      amount_gt: 500
    require_approval: true
    risk: critical

  - match:
      tool: browser
    allow: true
    risk: low

  - match:
      tool: web_fetch
    allow: true
    risk

Save this as policies/openclaw_production.yaml and activate it:

Or create and activate via the dashboard on the Advanced (YAML / JSON) tab.
Dynamic categories
As tools are used, Faramesh tracks which tools have been seen and their auto-assigned categories. View them on the Tools Seen section of the Policies page. If a tool is miscategorized, you can create a custom YAML rule to override the behavior.
Was this helpful?
Was this helpful?
Was this helpful?
Previous
More
Previous
More
Previous
More
Next
More
Next
More
Next
More
Table of content
Table of content
Table of content
Setting Policies
Setting Policies