---
title: "Tools and MCP"
slug: "mcp-policy-builder-controls"
updated: 2026-03-01T15:15:06Z
published: 2026-03-01T15:15:06Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Tools and MCP

*Early Access Capability*

          
  

**Controls** define what **Agents** are allowed to do after an interaction has been authorized.

The most common control type is **MCP (Model Context Protocol)**. MCP controls determine which tools an **Agent** can invoke on behalf of originating **Identities**.

MCP controls follow a least privileged model. By default, all tools are denied. An **Agent** can invoke a tool only if access has been explicitly granted in a **Policy**.

MCP controls answer the question:

> **Which tools can these users, through these Agents, actually use?**

---

## Granting Access to MCP Tools

**To configure MCP controls:**

1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
2. Select a Policy or create one.
3. In the **Policy Canvas**, click the plus (+) icon in the **MCP Control** component.  

![Image](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image(405).png)
4. In the side panel, select entries from the **Groups** or **Tools** tabs, as described below.

The **PlainID Authorization Platform** supports multiple levels of control, from high-level categorization to fine-grained parameter conditions.

---

## Granting Access by Category

During Discovery, the platform scans connected MCP servers and tools. In addition to identifying tools, an AI-based classification layer organizes them into meaningful categories.

Categories reflect:

- Functional domains, such as source control, CI and CD, local filesystem access, and observability.
- Risk and impact profiles, such as sensitive data access, destructive actions, and high-cost operations.

This approach allows you to manage tool access by intent and risk rather than by individual tool name.

**To add tool categories**:

1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
2. Select a Policy or create one.
3. Open the **Groups** tab in the MCP Control section.
4. Search for the relevant category.
5. Select the category.

The selected category appears in the **MCP Control** widget on the canvas.

**Example use cases:**

- Allow an IT operations group access to all CI/CD-related tools.
- Exclude categories marked as Destructive or High Cost.
- Prevent **Agents** from accessing tools that can delete data or incur unexpected spend.

You can also use the AI assistant to recommend appropriate categories based on your intent.

---

## Granting Access by Server

In some cases, you may allow access to all tools exposed by a specific MCP server.

This approach is appropriate when tools are already governed at the server level.

**To add a server:**

1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
2. Select a Policy or create one.
3. In the **Groups** tab, search for the MCP server name.
4. Select the server entry.

The server appears in the **MCP Control** widget, granting access to all associated tools.

---

## Granting Access by Tool and Parameter

For maximum precision, control access at both the tool and parameter levels.

This enables you to define:

- Whether a tool can be invoked.
- Under which **Conditions** it can be invoked.

**To add individual tools**:

1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
2. Select a Policy or create one.
3. Open the **Tools** tab in the MCP Control section.
4. Search for or browse to the required tool.
5. Select the tool.

The tool appears in the **MCP Control** widget on the canvas.

---

**To define parameter level conditions:**

If a tool exposes parameters, they are automatically detected during Discovery.

1. In the Policies section in the Environment sidebar, click on the relevant Authorization Workspace.
2. Select a Policy or create one.
3. Click **Parameters** next to the selected tool.
4. In the query builder, define the required conditions based on the tool parameters.  

![Image](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image(406).png)

**Example**

If using an Atlassian MCP server with a Create Jira Issue tool, you may:

- Allow support employees to create issues.
- Restrict issue creation to the Support project only.

**To configure this**:

1. Add the Create Jira Issue tool.
2. Open the **Parameters** configuration.
3. Add a condition such as Project equals Support.

This approach ensures least privileged access at the tool-execution level.

---

By combining category, server, tool, and parameter-level controls, you can define precise, risk-aligned tool access within your **Policies**.