Configuring MCP Access Control Policies
Flex Gateway provides three MCP policies that work together to control which tools and related MCP entities are exposed:
-
MCP Global Access: Restricts which tools are exposed by using allow or block rules.
-
MCP Tool Mapping: Renames and modifies tool descriptions.
-
MCP Attribute-Based Access Control: Grants each client a subset of tools based on who they are, such as Tiers, IP, headers, or claims.
How the Policies Work Together
You can use MCP policies individually or combine them to fit your use cases. When you use multiple policies together, stack them in this order from the gateway toward the client so that they work as intended:
- MCP Global Access
-
Filters the overall tool list. Define rules to allow or block specific tools so that only the tools you want to expose enter your network.
- MCP Tool Mapping
-
Renames tools or changes their descriptions. Mapping doesn’t filter tools. If you use both policies, MCP Global Access must allow a tool before mapping applies.
- MCP Attribute-Based Access Control
-
Grants each connecting client a tailored subset of the available tools based on attributes, such as tiers, IP addresses, headers, or claims.
To configure the policy order, see Ordering Policies.