Domain 2 · Task Statement 2.1

File Access & Working Folders

TL;DR

Master Cowork's direct local file access model, configure working folders using least-privilege scoping, and understand the three-tier permission boundary that governs what Claude can read, write, and delete.

What You Need to Know

Every file interaction in Claude Chat follows the same tedious loop: drag a document into the window, wait for it to process, read Claude's response, download the output, and manually save it somewhere useful. Cowork eliminates this entirely. Point it at a folder on your machine and it reads, writes, edits, creates, renames, and moves files directly on your local file system. No uploading. No downloading. No 30 MB ceiling on individual files.

The mental model shift matters more than the mechanics. Chat is like emailing documents to a colleague in another building — they read what you send, draft a reply, and email it back. Cowork is like sitting that colleague at the desk next to you, opening the filing cabinet, and saying "everything you need is right here." Files never leave your machine, there's no intermediary step, and outputs land exactly where you need them.

Granting folder access: the security decision that matters most

Selecting a working folder is the single most consequential security decision you make in any Cowork session. Claude operates inside a sandboxed virtual machine on your device and can only see the folder — and its subfolders — that you explicitly grant. Parent directories? Invisible. Your Desktop, Downloads, home folder? Off limits. Type a full file path pointing somewhere outside the grant and Claude will simply tell you it cannot reach it.

[!]

Exam Trap: There Is No Global Access Toggle

A common exam distractor claims Cowork can access any folder on your machine once you enable it in Settings. False. There is no global "enable all" setting. Folder access is granted per session — you select a specific folder each time, and every new session requires you to choose again.

This per-session scoping is deliberate. Even if you granted access to your entire Documents folder yesterday, that access doesn't carry over today. Each session starts with a clean slate. You can grant access to additional folders mid-session if your task requires files from multiple locations — but each grant is a conscious, explicit decision.

The working folder as Claude's world

Think of the working folder as the four walls of Claude's office. Everything it reads, creates, and modifies lives within this boundary. Cowork remembers recently used folders for quick selection, so you do not need to navigate from scratch every session. For recurring tasks — a weekly reporting pipeline, a monthly invoice audit — pointing Cowork at the same dedicated folder each time, combined with context files like rules.md or preferences.md, builds a persistent workspace that improves with use.

Read, write, delete: the permission tiers you must know

Within the granted folder, Claude has full read and write access. It opens any supported file type — PDFs, CSVs, Excel spreadsheets, images, Word documents, plain text — and creates new files of any type. Renames, subfolder moves, content overwrites: all of these happen without any additional permission prompt beyond the initial plan review.

[!]

Exam Trap: Edits and Overwrites Are Not Protected

Deletion protection only covers permanent removal of a file from disk. Claude can freely overwrite an existing file's contents, rename it beyond recognition, or move it to a different subfolder — none of these trigger a permission prompt. An overwritten file is just as lost as a deleted one if you have no backup. Always review the execution plan before clicking Allow.

Permanent deletion is the exception. When Claude tries to remove a file from disk, a system-level prompt appears and it cannot proceed until you click "Allow." There's no way to bypass, suppress, or batch-delete past this gate — each removal needs individual consent. That's the hard safety boundary, and it's deliberately narrow. Knowing exactly what it covers (and what it doesn't) is one of the most heavily tested concepts in Domain 2.

The three-tier permission model

The full permission architecture has three distinct layers. The exam expects you to distinguish between them:

  1. Folder scoping — Claude can only access the folder (and subfolders) you grant per session. Everything outside is invisible.
  2. Operation type — Reads and writes happen freely within scope. Only permanent deletions require explicit "Allow" approval.
  3. Computer Use permissions — When Computer Use is enabled (Domain 4), accessing applications outside the sandboxed VM requires separate per-application permissions. This layer is entirely independent of file access.

Exam questions love to conflate these tiers. You might see a scenario where someone enables Computer Use and assumes that folder-level file access permissions also govern application access. They don't — the two systems are architecturally separate.

Dedicated workspace folders: the least-privilege principle in practice

[~]

The Golden Rule of Folder Scoping

Never point Cowork at Documents, Desktop, or your home folder. Always create a purpose-built folder, copy only the files you need into it, and point Cowork there. If something goes wrong, the blast radius is limited to a single folder rather than your entire file system.

This goes beyond best practice — it's the foundation of safe Cowork usage. Think about what actually sits in your Documents folder: tax returns, employment contracts, financial records, client agreements, saved passwords, personal correspondence. Granting Cowork access to all of that because you need three CSV files is like giving a new hire the master key to the building when they only need one meeting room.

Create a folder with a descriptive name — Campaign-Analysis-Q2, Invoice-Processing-March, Board-Deck-Draft — copy the relevant files in, and scope Cowork to that folder. Thirty seconds of preparation reduces your exposure from thousands of files to the handful that actually matter.

Expect the exam to test this repeatedly. If a scenario describes someone granting access to a broad directory and asks what could go wrong, the correct answer centres on unnecessary exposure of sensitive files. Not on Claude deliberately misusing them — on the principle that reducing the attack surface is always the responsible default.

Common Mistakes

Common Mistake

Granting Cowork access to your entire Documents or Desktop folder because the files you need are scattered across it — exposing thousands of sensitive, unrelated files.

Instead: Create a dedicated working folder with a descriptive name, copy only the files relevant to your task, and point Cowork there. Thirty seconds of preparation eliminates the risk of exposing tax returns, contracts, and credentials.

Common Mistake

Hearing 'deletion protection' and assuming Claude cannot change your files at all without permission — then skipping the execution plan review because you believe every operation has a safety net.

Instead: Deletion protection is narrow: it only triggers for permanent file removal. Edits, overwrites, renames, and moves all happen freely within the granted folder. The execution plan is your real safety net — review it every time.

Common Mistake

Uploading files to a standard Chat conversation out of habit, even though you have Cowork access — hitting the 30 MB per-file limit and the 20-file cap, then manually downloading results.

Instead: Switch to the Cowork tab, select your working folder, and let Claude process files directly from disk. No upload limits, no downloads, and outputs land in your file system ready to use.

Analysing expense reports

Before

Look at my Documents folder and find my expense reports from last quarter.

After

I've copied my Q1 expense reports into the 'Q1-Expenses' working folder. Analyse every PDF in this folder and create a summary spreadsheet with columns for Date, Vendor, Category, and Amount.

Modifying a budget spreadsheet

Before

Can you access my spreadsheet at /Users/me/Desktop/Finances/budget.xlsx?

After

Using the files in this working folder, open budget.xlsx and create a new version called budget-v2.xlsx with an additional column calculating year-over-year growth percentage.

Hands-On Activity

Hands-On Activity

Master Working Folder Security

10 min

Test the boundaries of Cowork's folder scoping, write access, and deletion protection firsthand. Verify that the sandbox genuinely prevents access to files outside the granted folder and that deletion requires explicit approval.

What you will learn

  • Verify that Cowork's folder scoping prevents access to files outside the granted directory
  • Confirm that Cowork can write new files directly to your file system without manual download
  • Trigger deletion protection and observe the system-level permission prompt
  • Prove that full file paths outside the sandbox boundary are rejected
  1. 01

    Create two folders on your Desktop: 'Cowork-Workspace' and 'Sensitive-Files'. Place 3-5 sample text files in each — use innocuous test content, not real sensitive data.

    Why: Two separate folders let you test that Cowork's scoping genuinely prevents access to files outside the granted folder.

    Expected: Two distinct folders on your Desktop, each containing a few sample text files.

  2. 02

    Open Cowork and select 'Cowork-Workspace' as the working folder. Ask Claude: 'List every file you can see, including any files in nearby folders.'

    Why: This tests the folder boundary. Claude should only list files within Cowork-Workspace, regardless of how you phrase the request.

    Expected: Claude lists only the files in Cowork-Workspace. It reports no knowledge of Sensitive-Files or any other location on your machine.

  3. 03

    Ask Claude to create a file called 'test-output.txt' with the content 'Cowork wrote this directly to my file system.' Then open the Cowork-Workspace folder in Finder and verify the file exists.

    Why: This demonstrates direct write access — no download step. The file appears on your file system immediately.

    Expected: A new 'test-output.txt' file in the Cowork-Workspace folder. Open it to confirm the content matches.

  4. 04

    Ask Claude: 'Delete test-output.txt.' Watch for the system permission prompt and click Allow to proceed.

    Why: This triggers deletion protection — the one operation that requires explicit permission beyond plan review.

    Expected: A system-level Allow/Deny prompt appears before the deletion executes. Claude cannot proceed until you grant permission.

  5. 05

    Ask Claude to read a file by specifying the full path to a file in 'Sensitive-Files' (e.g., '/Users/you/Desktop/Sensitive-Files/secret.txt'). Observe the response.

    Why: This confirms that even a full file path cannot break the sandbox boundary. Claude is restricted to the granted folder regardless of how you reference external files.

    Expected: Claude reports that it cannot access files outside its working folder, no matter the path you provide.

Practice Question

Practice Question

A marketing manager needs Cowork to analyse 30 campaign performance CSVs stored in her Documents folder, which also contains confidential HR spreadsheets in a subfolder. What is the safest and most efficient approach?

Sources