Looking at your prompt, it appears that Bob is requesting permission to run a git show command for a specific commit hash. The authorization system, however, is asking you to approve the entire git tool, not just the individual subcommand. That’s why you’re seeing a broader permission request even though the actual operation is read‑only.
The prompt provides three options:
- “Yes, allow once” – Approves only this specific execution.
- “Yes, allow always…” – Permanently allows all future
git commands (any subcommand).
- “No, suggest changes” – Rejects the request and lets you modify the command.
At the moment, the authorization prompt does not support built‑in fine‑grained control at the subcommand level (for example, allowing only git show but blocking git push). But you do have a few practical options:
Option 1: Allow Once (Safest)
Choosing “Yes, allow once” approves only the current request.
This is the safest approach because you retain full control—Bob will need approval again the next time he runs any git command.
Option 2: Allow Always for Read‑Only Commands (Use with Caution)
If you’re comfortable allowing non‑destructive, read‑only git operations, you could choose “Yes, allow always.”
Common safe subcommands include:
git showgit loggit diffgit statusgit branch -l
However, approving all git commands also enables potentially destructive operations such as:
git pushgit reset --hardgit clean -fd
Because of this, use the “allow always” option carefully.
Option 3: Configure Bob’s Git Permissions
Bob Shell provides configuration options that can define which tools—and in some cases which command patterns—are allowed. You can review and modify the tool‑level settings in your configuration file to restrict how git is used.
For more details, refer to Bob’s documentation:
https://internal.bob.ibm.com/docs/shell/configuring#tools-settings