Calendar agents need more than read/write
A calendar agent permission matrix is a small table that says which calendars an AI assistant can read, which ones it can modify, and which actions require confirmation. Without it, a harmless scheduling helper can quietly become a meeting-deleting agent.
Split permissions by action
Listing events, finding free time, creating holds, updating attendee lists, and deleting meetings have different risk levels. Treating all of them as one "calendar access" permission is too broad.
The practical matrix
- Read busy/free only for calendars the agent should use for scheduling.
- Read full event details only where descriptions and attendees are needed.
- Create events on explicitly authorized calendars.
- Update events only when the event was created by the agent or approved by the user.
- Delete, decline, or mass-update events only after confirmation.
Why multi-account agents make this harder
Personal, work, side-project, and shared calendars usually live under different Google accounts. A good agent can query across them, but it should not inherit the most permissive account's rights everywhere.
How CalendarMCP handles it
CalendarMCP lets one API key connect multiple Google calendars while preserving per-calendar permissions. That keeps the prompt simple for the user and the access control explicit for the operator.