LuckPerms Wildcard Permissions Guide

What Are Wildcard Permissions?

A wildcard permission in LuckPerms uses an asterisk (*) to match every child node below a parent. For example, granting essentials.kits.* gives a player every kit permission without listing them individually. Luckperms wildcard permissions save time, but they also carry risk because new child nodes added by plugin updates are granted automatically.

How LuckPerms Resolves Wildcards

LuckPerms processes luckperms wildcard permissions by expanding the asterisk at lookup time. When a plugin checks essentials.kits.daily, LuckPerms walks the permission tree upward: it checks the exact node first, then essentials.kits.*, then essentials.*, and finally the global *. The first match wins. This means a specific deny will override a wildcard allow, which is essential for safe permission design.

The Global Wildcard

Granting * (the global wildcard) gives a player every permission registered on the server. We strongly advise against this even for admins because it exposes operator-level commands from every loaded plugin, including debug and reload commands that can crash the server.

Safe Wildcard Patterns

Here are patterns where luckperms wildcard permissions make sense without introducing unacceptable risk.

# Grant all home-related permissions
/lp group vip permission set essentials.sethome.* true

# Grant all WorldGuard region-info permissions
/lp group mod permission set worldguard.region.info.* true

# Grant all LuckPerms user-info subcommands
/lp group admin permission set luckperms.user.info.* true

Wildcards to Avoid

• essentials.* includes social spy, debug reload, and ban commands.
• worldedit.* includes //set at unlimited volume, capable of destroying regions.
• luckperms.* lets a user promote themselves to any group.

Combining Wildcards with Negations

You can grant a broad wildcard and then negate specific nodes to create a safe "everything except" pattern. This is one of the most practical uses of luckperms wildcard permissions.

# Give helpers all essentials commands, but deny ban and mute
/lp group helper permission set essentials.* true
/lp group helper permission set essentials.ban false
/lp group helper permission set essentials.mute false

Negated nodes always override wildcards of the same or higher level, so this pattern is reliable.

Auditing Wildcard Grants

Run /lp group <name> permission check <node> to see exactly how a permission resolves. LuckPerms shows the source (direct, inherited, or wildcard) and whether it is true or false. Audit luckperms wildcard permissions regularly after plugin updates to catch unintended grants.

You can also export a full permission list with /lp export and search the YAML file for asterisks to find every wildcard in your permission tree.

Best Practices

• Use wildcards only on leaf-level branches like essentials.kits.*, not on top-level nodes like essentials.*.
• Review plugin changelogs before updating. New commands mean new child nodes under existing wildcards.
• Prefer explicit permission lists for staff groups. The extra setup time pays off when a plugin update adds a dangerous command.
• Test changes on a staging server or with a test group before applying to production ranks.

For more on permission fundamentals, see our guide or the deeper LuckPerms Advanced Guide, Contexts, Weights & Meta walkthrough.

Need hosting with full config access? Astroworld Hosting, Pterodactyl panel, NVMe SSDs, 24/7 support.