Admin Guide

Groups & RBAC

MCP Ambassador uses group-based RBAC: users belong to groups, MCPs are assigned to groups, and users see only the MCPs their groups have access to.

RBAC model

User ──belongs to──► Group(s) ──assigned──► MCP(s)

 └──registers──► Client ──selects──► Tools (subset of subscribed tools)

Four levels of access control:

  1. Group membership — which MCPs are available to the user at all
  2. User subscription — which of the available MCPs the user has subscribed to
  3. Per-client tool selection — which tools from subscribed MCPs are enabled on a specific client
  4. Kill switches — admin override to disable a tool or entire MCP instantly

Groups

Creating a group

Via Admin UI: Navigate to GroupsCreate Group → enter name and description.

Via Admin API:

curl -k -b cookies.txt \
  -X POST https://localhost:9443/v1/admin/groups \
  -H "Content-Type: application/json" \
  -d '{"name": "engineers", "description": "Engineering team"}'

Adding users to a group

Via Admin UI: Navigate to Groups → select group → Manage Members → add users.

Via Admin API:

curl -k -b cookies.txt \
  -X PUT https://localhost:9443/v1/admin/groups/:id/members \
  -H "Content-Type: application/json" \
  -d '{"add": ["user_uuid_1", "user_uuid_2"], "remove": []}'

Assigning MCPs to a group

Via Admin UI: Navigate to Groups → select group → Manage MCPs → assign MCPs.

Via Admin API:

curl -k -b cookies.txt \
  -X PUT https://localhost:9443/v1/admin/groups/:id/mcps \
  -H "Content-Type: application/json" \
  -d '{"add": ["mcp_uuid_github", "mcp_uuid_slack"], "remove": []}'

RBAC evaluation at tool call time

When an Ambassador Client calls a tool, the server evaluates:

  1. Session valid? — Is the session token valid and not expired?
  2. Client active? — Has the client been deactivated?
  3. User active? — Has the user account been deactivated?
  4. MCP accessible? — Is the MCP assigned to a group the user belongs to?
  5. User subscribed? — Has the user subscribed to this MCP?
  6. Tool enabled on client? — Has the user enabled this tool on this client?
  7. Kill switch active? — Is the tool or MCP currently disabled?

If any check fails, the call is rejected with a 403 and logged in the audit trail.

Example group structure

Groups:
  engineers
    → github, gitlab, sequential-thinking, postgres

  product-team
    → github (read-only tools), linear, figma, notion

  all-users
    → time, memory, fetch, tavily-search

  devops
    → docker, cloudflare, grafana, sentry

Most users belong to all-users (base tools) plus one or more functional groups.

Per-client tool selection

Users can further restrict which tools are active on each client. This happens at the subscription level, not the group level.

Example: Alice is in engineers and has subscribed to github with all tools enabled. On her CI/CD agent client, she disables write tools:

  • github.create_pr — disabled on CI agent
  • github.search_code — enabled on CI agent
  • github.list_issues — enabled on CI agent

This means even if her session token was leaked from the CI environment, write operations are blocked.

Admin role

Admin users have access to the Admin API and Admin UI. Admin status is a flag on the user record, not a group.

By default, admin users do not have access to the User UI marketplace (they manage MCPs, not subscribe to them). In practice, admins can also be regular users by having both the admin flag and group memberships.

Previous
User Management
Next
MCP Catalog