#Cannot change tools permission

Hi,

For some reason I cannot change my agents "tool" permissions in the dashboard. I wanna activate the files tootls (read/write/edit), I can turn on the toggle but I cannot click the save button. Any idea?

Most common reason the Save button is unclickable in the Control UI is: your browser/device is paired with read-only (no operator.write) permissions, so the UI won’t let you persist config changes (including agent tool policies).

1) First: what version are you on?

Please run and paste:

openclaw --version

2) Check your device pairing / scopes

On the machine that runs the Gateway:

openclaw devices list --json

Look for your browser/device entry and whether the operator role has operator.write.

If you don’t have operator.write, rotate the operator token for that device:

openclaw devices rotate --device <deviceId> --role operator --scope operator.read --scope operator.write

Then reload the Control UI and try saving again.

Docs: https://docs.openclaw.ai/cli/devices

3) If it’s not scopes: it’s usually validation

The UI also disables Save when there’s a validation error (sometimes it’s subtle / lower on the page). Open DevTools → Console and see if it logs a schema/validation error when you toggle tools.

Also: enabling file tools is basically allowing read/write/edit/apply_patch (aka group:fs). Tool policy reference: https://docs.openclaw.ai/tools/multi-agent-sandbox-tools

If you paste:

• your openclaw --version
• and (redacted) devices list --json output (remove tokens)
  …I can tell you exactly which path you’re hitting.

Thanks for the help!

openclaw --version gives 2026.3.2

The initial devices list --json gave

{
  "pending": [],
  "paired": [
    {
      "deviceId": "111",
      "publicKey": "111",
      "platform": "Linux x86_64",
      "clientId": "openclaw-control-ui",
      "clientMode": "webchat",
      "role": "operator",
      "roles": [
        "operator"
      ],
      "scopes": [
        "operator.admin",
        "operator.approvals",
        "operator.pairing"
      ],
      "createdAtMs": 1772901465541,
      "approvedAtMs": 1772901465541,
      "tokens": [
        {
          "role": "operator",
          "scopes": [
            "operator.admin",
            "operator.approvals",
            "operator.pairing"
          ],
          "createdAtMs": 1772901465541
        }
      ]
    },
    {
      "deviceId": "222",
      "publicKey": "222",
      "platform": "linux",
      "clientId": "cli",
      "clientMode": "cli",
      "role": "operator",
      "roles": [
        "operator"
      ],
      "scopes": [
        "operator.admin",
        "operator.read",
        "operator.write",
        "operator.approvals",
        "operator.pairing"
      ],
      "createdAtMs": 1772900790562,
      "approvedAtMs": 1772900790562,
      "tokens": [
        {
          "role": "operator",
          "scopes": [
            "operator.admin",
            "operator.approvals",
            "operator.pairing",
            "operator.read",
            "operator.write"
          ],
          "createdAtMs": 1772900790562
        }
      ]
    },
    {
      "deviceId": "333",
      "publicKey": "333",
      "platform": "Win32",
      "clientId": "openclaw-control-ui",
      "clientMode": "webchat",
      "role": "operator",
      "roles": [
        "operator"
      ],
      "scopes": [
        "operator.admin",
        "operator.approvals",
        "operator.pairing"
      ],
      "createdAtMs": 1772797029524,
      "approvedAtMs": 1772797029524,
      "tokens": [
        {
          "role": "operator",
          "scopes": [
            "operator.admin",
            "operator.approvals",
            "operator.pairing"
          ],
          "createdAtMs": 1772797029524,
          "lastUsedAtMs": 1772903556826
        }
      ]
    }
  ]
}

So as you mentioned it's missing the operator.write/read scopes so I rotated the tokens and ran the devices list command again

{
  "pending": [],
  "paired": [
    {
      "deviceId": "111",
      "publicKey": "111",
      "platform": "Linux x86_64",
      "clientId": "openclaw-control-ui",
      "clientMode": "webchat",
      "role": "operator",
      "roles": [
        "operator"
      ],
      "scopes": [
        "operator.admin",
        "operator.approvals",
        "operator.pairing"
      ],
      "createdAtMs": 1772901465541,
      "approvedAtMs": 1772901465541,
      "tokens": [
        {
          "role": "operator",
          "scopes": [
            "operator.admin",
            "operator.approvals",
            "operator.pairing"
          ],
          "createdAtMs": 1772901465541
        }
      ]
    },
    {
      "deviceId": "222",
      "publicKey": "222",
      "platform": "linux",
      "clientId": "cli",
      "clientMode": "cli",
      "role": "operator",
      "roles": [
        "operator"
      ],
      "scopes": [
        "operator.admin",
        "operator.read",
        "operator.write",
        "operator.approvals",
        "operator.pairing"
      ],
      "createdAtMs": 1772900790562,
      "approvedAtMs": 1772900790562,
      "tokens": [
        {
          "role": "operator",
          "scopes": [
            "operator.admin",
            "operator.approvals",
            "operator.pairing",
            "operator.read",
            "operator.write"
          ],
          "createdAtMs": 1772900790562
        }
      ]
    },
    {
      "deviceId": "333",
      "publicKey": "333",
      "platform": "Win32",
      "clientId": "openclaw-control-ui",
      "clientMode": "webchat",
      "role": "operator",
      "roles": [
        "operator"
      ],
      "scopes": [
        "operator.admin",
        "operator.approvals",
        "operator.pairing"
      ],
      "createdAtMs": 1772797029524,
      "approvedAtMs": 1772797029524,
      "tokens": [
        {
          "role": "operator",
          "scopes": [
            "operator.read",
            "operator.write"
          ],
          "createdAtMs": 1772797029524,
          "rotatedAtMs": 1772904454467,
          "lastUsedAtMs": 1772904318802
        }
      ]
    }
  ]
}

Is it supposed to be correct now? I reran openclaw dashboard but the "save" button is still disabled

Yep — that output explains it perfectly: your Control UI devices (clientId: "openclaw-control-ui") are paired as operator, but their scope set is missing operator.read + operator.write, so the UI can render toggles but can’t persist changes.

Two important details:

1. operator.admin does not imply read/write (at least in current scope checks), so you really do need to add operator.read + operator.write explicitly.
2. You have multiple Control UI devices. You need to rotate the one you’re actually using (looks like deviceId: "333" was recently used: lastUsedAtMs).

Rotate the right device (example: 333)

openclaw devices rotate --device 333 --role operator \
  --scope operator.read --scope operator.write \
  --scope operator.admin --scope operator.approvals --scope operator.pairing

Then hard refresh the Control UI (or close/reopen the tab). If it still doesn’t pick it up, clear site data for the dashboard origin (it may have cached auth state).

If you paste your updated openclaw devices list --json

…I can confirm the scopes landed on the correct device.

If after rotation the scopes are correct but Save is still disabled, grab the browser DevTools Console error when you click Save — that’ll point to whether it’s a validation issue vs auth.

Not quite “fixed” yet — two things jump out from that JSON:

1. Your rotated token for device 333 hasn’t been used at all yet

• rotatedAtMs is later than lastUsedAtMs, so the Windows Control UI session you currently have open is almost certainly still running on the old device token/scopes.
• Fix: close all dashboard tabs, then reopen the dashboard (or clear site data for the dashboard origin), then immediately rerun:

  openclaw devices list --json
  

  and check that lastUsedAtMs is now after the rotation time.

2. You’re likely hitting a known Control UI regression on 2026.3.2 (esp. Windows)
   There’s an open bug report that matches your symptoms exactly: toggles change, but Save stays disabled / doesn’t persist on v2026.3.2 on Windows:
   https://github.com/openclaw/openclaw/issues/35297

Practical workaround (works even if the UI Save button is broken)

Just set the tool policy via CLI and restart the gateway:

Enable filesystem tools globally:

openclaw config set tools.allow '["group:fs"]' --strict-json
openclaw gateway restart

Or only for a specific agent (you’ll need the agent index):

openclaw config get agents.list
# then e.g.
openclaw config set agents.list[0].tools.allow '["group:fs"]' --strict-json
openclaw gateway restart

Then confirm:

openclaw config get tools

One more note about your rotation

Right now the token for 333 shows only operator.read/write. If you want the Control UI to keep being able to do approvals/pairing/admin-y stuff too, rotate again with the full set:

openclaw devices rotate --device 333 --role operator \
  --scope operator.read --scope operator.write \
  --scope operator.admin --scope operator.approvals --scope operator.pairing

If you tell me whether you’re opening the dashboard from Windows (device 333) or Linux (device 111), I can tell you which device you actually need to rotate / clear.

openclaw config get agents.list gives me Config path not found: agents.list

That’s actually a useful clue: it means your config is a defaults-only / single implicit agent setup (you have agents.defaults, but no explicit agents.list array). So:

• openclaw config get agents.list → expected to fail
• and it also matches a known Control UI bug where /agents edits don’t “dirty” the config, so Save never enables when agents.list is missing: https://github.com/openclaw/openclaw/issues/20924

What to do instead (recommended)

Set the tool permissions on the implicit/default agent via agents.defaults.tools (or globally via tools):

Enable file tools for the default agent:

openclaw config set agents.defaults.tools.allow '["group:fs"]' --strict-json
openclaw gateway restart

(You can also do it globally for all agents:)

openclaw config set tools.allow '["group:fs"]' --strict-json
openclaw gateway restart

Then confirm:

openclaw config get agents.defaults.tools
openclaw config get tools

If you really want per-agent settings in the UI

You’d need to introduce an explicit agents.list entry (multi-agent style). That’s doable, but it’s easier to get wrong (workspace/ids/bindings), so I’d only do that if you actually want multiple agents.

If you paste your current:

openclaw config get agents.defaults

(redact secrets), I can tell you the cleanest minimal way to express the same agent as an agents.list entry.

openclaw config set agents.defaults.tools.allow '["group:fs"]' --strict-json

🦞 OpenClaw 2026.3.2 (85377a2)
   I'll butter your workflow like a lobster roll: messy, delicious, effective.

│
◇  Doctor warnings ──────────────────────────────────────────────────────────╮
│                                                                            │
│  - channels.telegram.groupPolicy is "allowlist" but groupAllowFrom (and    │
│    allowFrom) is empty — all group messages will be silently dropped. Add  │
│    sender IDs to channels.telegram.groupAllowFrom or                       │
│    channels.telegram.allowFrom, or set groupPolicy to "open".              │
│                                                                            │
├────────────────────────────────────────────────────────────────────────────╯
Error: Config validation failed: agents.defaults: Unrecognized key: "tools"

Yep — that error is legit, and it’s on me: agents.defaults doesn’t support tools in the current schema. Tool policy can be set either:

• globally at top-level tools.*, or
• per-agent at agents.list[].tools (but that requires you to actually have an agents.list).

So for your “single implicit agent” setup, do it globally:

openclaw config set tools.allow '["group:fs"]' --strict-json
openclaw gateway restart

group:fs expands to: read, write, edit, apply_patch.

Then verify: