Creating Policies
Policies are created through the Bulwark dashboard. This guide walks you through the process.
Tip
Already have permissions configured in Claude Code? You can import them directly instead of recreating them by hand.
Accessing the Policy Editor
- Log in to your Bulwark dashboard
- Navigate to Policies in the sidebar
- Click Add Policy
Policy Fields
Name
Give your policy a descriptive name that explains what it does:
- ✅ "Block destructive file operations"
- ✅ "Require approval for production deploys"
- ❌ "Policy 1"
Description (Optional)
Add context about why this policy exists and when it should trigger.
Status
| Status | Behavior |
|---|---|
| Active | Policy is enforced on all matching tool calls |
| Inactive | Policy exists but is not enforced |
| Draft | Policy is being edited, not enforced |
Priority
A number that determines evaluation order. Higher numbers are checked first.
- Use 100+ for critical security policies
- Use 50-99 for important operational policies
- Use 1-49 for convenience policies
Action
What happens when the policy matches:
| Action | Result |
|---|---|
| Allow | Auto-approve immediately |
| Deny | Block with optional message |
| Ask | Send to approval queue |
Building Rules
Rules define when a policy matches. Each rule has three parts:
1. Field
What to check. Common fields:
tool_name - The tool being called
tool_input.command - Bash command text
tool_input.file_path - File being accessed
cwd - Current working directory
2. Operator
How to compare:
equals - Exact match
contains - Substring match
starts_with - Prefix match
ends_with - Suffix match
matches - Regex match
in - Value in list
3. Value
What to compare against.
Combining Rules
AND Logic
All rules must match. Use for specific conditions:
tool_name equals "Bash"
AND
tool_input.command contains "rm"
AND
tool_input.command contains "-rf"
OR Logic
Any rule can match. Use for multiple triggers:
tool_input.file_path ends_with ".env"
OR
tool_input.file_path ends_with ".secret"
OR
tool_input.file_path contains "password"
Example: Protect Config Files
Let's create a policy that requires approval before modifying configuration files.
Settings:
- Name:
Protect configuration files - Priority:
75 - Action:
Ask - Status:
Active
Rules:
tool_name in ["Edit", "Write"]
AND
(
tool_input.file_path ends_with ".config.js"
OR
tool_input.file_path ends_with ".config.ts"
OR
tool_input.file_path contains "/config/"
)
Testing Your Policy
After creating a policy:
- Keep the dashboard open
- Start a Claude Code session
- Trigger a tool call that should match
- Verify the policy action occurs
Tip
Start with Ask action while testing. Once you're confident the rules work correctly, change to Allow or Deny as needed.
Next Steps
- Importing from Claude Code - Migrate existing Claude Code permissions
- Rule Conditions - All available fields and operators
- Actions - When to use each action type