> ## Documentation Index > Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt > Use this file to discover all available pages before exploring further. # murmur check-permissions > Evaluate one or more permission strings against the caller's effective grants, including role membership and tenant-binding rules. Evaluates [permissions](/security/permissions) against the caller's effective grants. Each positional argument is a permission string in `{kind}.{verb}` format. The command prints a table showing whether each permission is granted or denied, and exits non-zero if any check is denied. Use this to verify what the current identity is allowed to do before attempting an operation, or to debug [authorization](/security/authorization) issues. ## Synopsis ```bash theme={null} murmur check-permissions [flags] [kind.verb ...] ``` ## Arguments | Name | Type | Required | Description | | ------------ | ------ | -------- | ----------------------------------------------------------------------------------------------------------------------------- | | `kind.verb` | string | yes | One or more [permissions](/security/permissions) to check, each in `{kind}.{verb}` format (e.g. `agent.read`, `secret.edit`). | | `--resource` | string | no | Catalog resource ref in `{kind}/{name}` format, applied to all checks. | ## Output A tab-aligned table with one row per [permission](/security/permissions) checked: | Column | Description | | ------------ | --------------------------------------------------------------------------------- | | `PERMISSION` | The [permission](/security/permissions) string that was evaluated. | | `GRANTED` | `yes` if the caller has this [permission](/security/permissions), `no` if denied. | | `REASON` | Explanation of why the [permission](/security/permissions) was granted or denied. | The command exits with a non-zero status if any [permission](/security/permissions) is denied. ## Examples ### Check multiple permissions ```bash theme={null} murmur check-permissions agent.read agent.list agent.delete ``` ``` PERMISSION GRANTED REASON agent.read yes granted by role "developer" agent.list yes granted by role "developer" agent.delete no no matching grant ``` ### Check a permission against a specific resource ```bash theme={null} murmur check-permissions agent.edit --resource agent/my-task ``` ``` PERMISSION GRANTED REASON agent.edit yes granted by role "developer" ``` ## Errors | Code | Meaning | What to do | | ------------------ | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | | `INVALID_ARGUMENT` | A positional argument is not in `{kind}.{verb}` format, or `--resource` is not in `{kind}/{name}` format. | Fix the argument format and retry. | | `UNAUTHENTICATED` | Identity token is missing or expired. | Run `murmur auth` or check your `murmur.local.yaml` configuration. | | non-zero exit | One or more [permissions](/security/permissions) were denied. | Review the output table to see which [permissions](/security/permissions) were denied and why. | ## Related * [Authorization](/security/authorization) — how the authorization system evaluates grants * [Permissions guide](/security/permissions) — understanding permission strings and roles * [`murmur status`](/cli/status) — query an agent's current status