Oracle Cloud Infrastructure Documentation

Role-Based Access Control for MCP Server Tools and Reports

Note

Follow the principle of least privilege when assigning application roles. Grant users and client applications only the minimum permissions required to access specific tools and SQL reports.

To set up and enforce role-based access control for the Database Tools MCP Server using IAM Identity Domains application roles, do the following:

  1. Create application roles in the Identity Domain.

    In IAM Identity Domains, open the DBTOOLS_MCP_SERVER application and create the application roles you need, in addition to any standard roles such as MCP_User and MCP_Operator.

  2. Assign users or groups to application roles.

    Grant access by assigning users or IAM groups to the appropriate application roles in the Identity Domain.

  3. Reference roles in the MCP Server configuration.

    In the MCP Server configuration, specify the Identity Domain and list any custom roles under customRoles. These role names must match the application role names defined for the DBTOOLS_MCP_SERVER application.

  4. Enforce role-based access to tools and reports.

    You can configure tools and SQL Reports to require specific application roles. At runtime, only users who are assigned the required roles can access those tools or reports.

For more information, see Assign IDCS Application Roles to Groups in an Identity Domain and Managing Application Integrations.