This work addresses the security risks posed by coarse-grained, all-or-nothing permission models commonly used by large language model (LLM) agents when invoking APIs or accessing web content, which often lead to excessive authorization. To mitigate this, we propose AC4A—the first fine-grained access control framework inspired by Unix file system semantics—that enables unified, on-demand authorization for both API and browser-based interactions. By leveraging hierarchical resource modeling and runtime permission evaluation, AC4A supports flexible definition and strict enforcement of least-privilege policies, balancing security with practical usability. We demonstrate its effectiveness through case studies and provide an open-source implementation compatible with real-world LLM agent systems.

Large Language Model (LLM) agents combine the chat interaction capabilities of LLMs with the power to interact with external tools and APIs. This enables them to perform complex tasks and act autonomously to achieve user goals. However, current agent systems operate on an all-or-nothing basis: an agent either has full access to an API's capabilities and a web page's content, or it has no access at all. This coarse-grained approach forces users to trust agents with more capabilities than they actually need for a given task. In this paper, we introduce AC4A, an access control framework for agents. As agents become more capable and autonomous, users need a way to limit what APIs or portions of web pages these agents can access, eliminating the need to trust them with everything an API or web page allows. Our goal with AC4A is to provide a framework for defining permissions that lets agents access only the resources they are authorized to access. AC4A works across both API-based and browser-based agents. It does not prescribe what permissions should be, but offers a flexible way to define and enforce them, making it practical for real-world systems. AC4A works by creating permissions granting access to resources, drawing inspiration from established access control frameworks like the one for the Unix file system. Applications define their resources as hierarchies and provide a way to compute the necessary permissions at runtime needed for successful resource access. We demonstrate the usefulness of AC4A in enforcing permissions over real-world APIs and web pages through case studies. The source code of AC4A is available at https://github.com/reSHARMA/AC4A