Managed Policy Security Fix: ask Rules No Longer Bypassed by User allow Rules
Claude CodeClaude Code 2.1.74 fixes a security vulnerability where managed policy ask rules β set by enterprise administrators to require explicit user approval for specific tool calls β could be silently bypassed by conflicting allow rules in the user's personal settings or in skill allowed-tools lists. The flaw meant administrators could not reliably enforce mandatory approval gates for sensitive operations. The fix restores the intended policy hierarchy: managed (administrator) rules take precedence over all user-level and skill-level rules without exception.
Sources & Mentions
4 external resources covering this update
Policy Hierarchy Enforcement Restored
Claude Code's permissions model is designed around a layered hierarchy: managed (administrator) settings take precedence over user settings, which take precedence over skill-level settings. Version 2.1.74 fixes a breach in this hierarchy where ask rules at the managed policy level were not respected when a conflicting allow rule existed at a lower level.
The Vulnerability
When a Claude Code enterprise administrator sets a managed policy rule requiring user confirmation before a tool is invoked β an ask rule β the intent is to ensure that no automated path can bypass human approval for that operation. This is a critical control for sensitive tools such as file system writes, network calls, or any tool with side effects outside the codebase.
The bug allowed this control to be circumvented in two ways. First, if the user had an allow rule for the same tool in their personal settings.json or settings.local.json, the user rule would win β silently skipping the confirmation prompt. Second, if a skill listed the tool in its allowed-tools array, that declaration could also suppress the managed ask requirement.
In both cases, the failure was silent. There was no error or warning indicating that an administrator-mandated approval had been bypassed. Affected organizations may have assumed sensitive operations were gated when they were not.
The Fix
The corrected behavior enforces that managed policy ask rules cannot be overridden by any rule at a lower level of the hierarchy. A user allow rule or skill allowed-tools entry can still grant permissions that managed policy has not restricted, but it cannot remove a restriction that managed policy has explicitly placed. This restores the intended security boundary between administrator controls and user customization.
MCP OAuth Reliability Fixes
The same release fixes two MCP OAuth reliability issues that affected enterprise deployments. First, authentication could hang indefinitely when the callback port was already in use β a common scenario in environments with multiple concurrent Claude Code sessions. Second, OAuth refresh tokens expiring on servers (such as Slack) that return errors with HTTP 200 status codes rather than 4xx were handled incorrectly: the tool appeared connected but was operating with stale credentials, causing silent authentication failures. Both issues are resolved in 2.1.74.