Disco ParrotDisco Parrot Home
Docs
Request a Demo

Permissions and secrets

Fixing access that was refused. A permission-denied message and the scope behind it, and the cases where an agent cannot reach a secret or a file it needs to do the work.

When an action is refused, or an agent cannot reach a secret or a file it needs, this is a permissions question, and the fix is a grant or a binding rather than a workaround. Disco Parrot checks every action against the scopes the person holds, and it keeps secrets in a vault that hands a credential to a run only as a short-lived lease. So a refusal is the platform doing its job, and clearing it is a matter of granting the right role or wiring the credential the right way. This page covers the three you will meet.

A "permission denied" message

What you see. An action is refused with a permission message that names the scope it needed, for example a message that you are missing the audit.export scope.

Why it happens. Every action maps to a scope, and you can only take an action your roles grant the scope for. A denial means one of two things, and the message tells you which. Either your roles do not include the scope, or the scope is one of a few that your plan has to include as an entitlement and your plan does not. The first is a role question; the second is a plan question, and the message names a missing entitlement rather than a missing scope.

How to fix it. For a missing scope, an admin grants you a role that includes it. The fastest path is to read the scope from the message, find a built-in role that carries it in the scope catalog, and have an admin assign that role on the members page; a custom role works too when no built-in is a clean fit. For a missing entitlement, the fix is the plan, not the role: the scope stays inert until the workspace is on a plan that includes the entitlement, so an admin or billing owner moves the workspace to a plan that carries it. The handful of entitlement-gated scopes are called out in the plans and entitlements reference.

Action refusedread the messageNames a missing scopea role denialNames a missing entitlementa plan denialAn admin grants a role that carries it.Move to a plan that includes it.
A denial is one of two things, and the message tells you which. A missing scope is a role grant; a missing entitlement is a plan move.
add_photo_alternate
Screenshot to capture
A permission-denied message in the app: a dialog or inline notice stating the action could not be completed because a required scope is missing, naming the scope such as audit.export, with a line suggesting an administrator can grant a role that includes it
save as: public/docs-media/permission-denied-message.png
Caption when added: A permission message names the scope the action needed. An admin grants a role that carries it.
add_photo_alternate
Screenshot to capture
The members page with a person selected and the role assignment open: a list of built-in roles each showing the scopes it carries, one role being assigned to the person, and the person row updating to show the new role, an admin-only surface
save as: public/docs-media/members-role-grant.png
Caption when added: An admin assigns a role that carries the scope the message named. The grant is recorded against the admin who made it.

The agent cannot reach a secret

What you see. A run cannot complete an action that needs a credential, a token to reach an external service, for example, and the step reports it could not get the credential rather than reporting the secret value.

Why it happens. Secrets live in a write-only vault: the platform stores a secret and uses it on your behalf, but it never shows the value back, not to a user and not to an admin. A run does not hold standing credentials; when a step genuinely needs one, it requests a short-lived lease for that one operation, and the credential is delivered to a single process and cleaned up after. An agent cannot reach a credential when there is no lease path configured for it: the work needs a capability the sandbox profile does not bind, the binding points at a secret that is not in the vault, or the person the run acts for is missing the scope the binding requires. The platform also refuses a managed secret that is set as a standing environment value on a sandbox, on purpose, so a credential is never quietly baked into a container.

How to fix it. Configure the credential to be leased, rather than handing the agent the secret. An admin opens the sandbox profile and adds a capability binding for the operation, points it at the secret's name in the vault, and lists the scope it requires; if the secret is not in the vault yet, an admin adds it there first. If the binding exists but the run still cannot get the credential, the person the run acts for is missing the scope the binding names, which an admin grants the same way as any other scope. The deep version of how a credential reaches a run, leased for one operation and never persisted, is on credential leases.

add_photo_alternate
Screenshot to capture
A sandbox profile capability-binding editor: a binding for an operation pointing at a secret by its name in the vault, a field listing the scope the binding requires, and the secret shown only as a reference name and never as a value, an admin-only surface
save as: public/docs-media/capability-binding-editor.png
Caption when added: A capability binding points a run at a secret by name and names the scope it needs. The value is never shown, only leased at run time.
Write-only vault
holds the secret; the value is never shown back
Capability binding
the profile names the secret and the scope it needs
Lease
one short-lived grant for one operation
Cleaned up
the credential is gone after the operation
The fix is to configure the binding, never to paste the secret as an environment value.
A secret never becomes a standing value on a run. It stays in a write-only vault, a capability binding names it, and a single short-lived lease delivers it for one operation, then it is gone.

The agent cannot reach a file

What you see. A run cannot find or open a file you expected it to work on, or it reports the file is outside what it can reach.

Why it happens. An agent works inside its own sandbox against a fresh clone of your repository, and what it can reach is what the sandbox profile gave it. A file is out of reach when the repository it lives in is not one the profile mounts, so it was never cloned into the sandbox, or when a path points outside the workspace the sandbox is allowed to read. The boundary is deliberate: a run reaches the repositories its profile names and nothing else, which is what keeps one run from reading another's work or the host underneath it.

How to fix it. Read which case you are in, and the fix follows from it.

  • The repository is not on the profile. Add it to the sandbox profile so it is cloned into the sandbox, then run again.
  • The repository is mounted, but the path is wrong. A file is reached relative to where its repository is mounted in the workspace. Point the work at the path under the mounted repository, not an absolute path on the host; a path that climbs outside the workspace is refused by design.
  • The repository was not cloned because a connection lapsed. That is a connection fix. Reauthorize the repository on connections and access, then run again.
add_photo_alternate
Screenshot to capture
A sandbox profile detail page showing the repositories the profile mounts: a list of repositories that are cloned into the sandbox, one being added to the list, and a note that a run reaches only the repositories its profile names, an admin-only surface
save as: public/docs-media/profile-repository-list.png
Caption when added: A profile names the repositories cloned into the sandbox. A file is out of reach until its repository is on the list.

How scopes, roles, and entitlements fit

Three things decide whether an action goes through, and a denial is always one of them. A scope is the permission for a single action. A role is a named set of scopes that an admin grants to a person; this is how almost every permission is given. An entitlement is a capability your plan includes, and a few scopes stay inert until the plan carries the matching entitlement. So when something is refused, the question is which of the three is missing: a role grant for a plain scope, or a plan that includes the entitlement for a gated one. The message tells you which, and the fix follows from it.

Personholds rolesgrantedRolea named set of scopesscope · scope · scopeScopeone action's permissionmost permissions come this wayEntitlement
A few scopes stay inert until the plan includes the matching entitlement.
a gated scope needs both the role and the plan
Three things decide whether an action goes through. A role is a set of scopes an admin grants to a person; a scope is one action's permission; and a few scopes stay inert until the plan includes the matching entitlement.

Clearing a denied action, start to finish

A teammate tries to export the audit log and the action is refused. The message is specific: it names the audit.export scope and says an administrator can grant a role that includes it. She does not look for a setting to toggle or a way around the check.

She copies the scope from the message and opens the scope catalog. It shows audit.export is carried by a compliance-minded role, and that the scope is one of the few gated by an entitlement, so she checks the workspace is on a plan that includes it. It is, so a role grant is the whole fix. She sends the admin one line: the action she was refused and the scope it named.

The admin opens the members page, assigns her the role, and the grant is recorded against his name. She retries the export and it goes through. The grant is on the books for anyone who looks later.

One message, one scope, one role grant. Nothing was worked around, and the grant is on the record.

Still refused after a grant

If an admin granted the role and the action is still refused, read the message once more, since it names the current cause and a second scope may be missing for the same action. Check too that the scope is not one your plan gates as an entitlement, which a role grant cannot clear on its own; the plans and entitlements reference lists the gated handful. If the message still names a scope a granted role should carry, quote that scope and the role you were given so anyone looking with you lands on the same place. Your account contact can pick it up from the scope the message names and the role on your account.

Why access is granted, not worked around

Every fix on this page is a grant or a binding rather than a way around the check, and that is the point. The platform refuses an action you do not hold the scope for, and it refuses to show a secret value to anyone, because the alternative, an action that runs without the permission or a credential that gets pasted where it can leak, is exactly what a team adopting agents needs the platform to prevent. So the path back is to grant the role, set the binding, or mount the repository, each of which leaves a record and each of which an admin can reason about. Access you restore this way is access you can account for later.

For a current user, the move is to read what the message named and take it to an admin: the scope to grant, the capability to bind, or the repository to mount. The message is specific so the ask can be specific.

For an administrator, these are the three levers you hold. A role grant clears a scope denial, a capability binding gives a run a credential without exposing it, and a profile's repository list decides what a run can read. Each is a deliberate grant, and each is auditable.

For a prospect, the takeaway is that access is governed, not improvised. An agent gets exactly the permissions and credentials it was granted, secret values are never shown to anyone, and restoring access is an explicit, recorded grant rather than a workaround.

shield
Permission scope catalog

Every scope, what it allows, and which roles carry it.

key
Credential leases

How a secret reaches a run for one operation and is cleaned up after.

dns
Sandboxes and hosts

When the problem is the compute under the run, not its permissions.

Previous
Connections and access
Next
Pull requests