Tool Permissions
The ToolPermissionService provides fine-grained access control for MCP (Model Context Protocol) tools within the Context Graph. It maps tools to roles and tenants, enforces permission checks before tool execution, logs all permission decisions for audit, and supports tenant-specific overrides.
Overview
When an agent attempts to use a tool (such as executing SQL, accessing a data source, or calling an external API), the tool permission service checks whether the current user/agent has the required permissions based on their role, tenant, and individual access grants.
Source: data-plane/ai-service/src/context_graph/services/tool_permission_service.py
Permission Levels
| Level | Description |
|---|---|
PUBLIC | Accessible by all authenticated users |
TENANT | Accessible by specific tenants only |
ROLE | Accessible by users with specific roles |
USER | Accessible by specific individual users |
ADMIN | Requires admin privileges |
DENIED | Explicitly denied |
Permission Decisions
| Decision | Description |
|---|---|
ALLOWED | User has the required permission |
DENIED_NO_PERMISSION | No matching permission rule found |
DENIED_TENANT_BLOCKED | Tool is blocked for this tenant |
DENIED_ROLE_REQUIRED | User does not have the required role |
DENIED_USER_BLOCKED | User is explicitly blocked |
Permission Check Flow
- Check the permission cache for a cached decision
- Look up the tool permission rules in the graph store
- Evaluate rules in priority order: DENIED > USER > ROLE > TENANT > PUBLIC
- Cache the decision for the configured TTL (default: 300 seconds)
- Log the decision for audit
API Usage
from context_graph.services.tool_permission_service import (
ToolPermissionService,
ToolPermissionLevel,
)
service = ToolPermissionService()
decision = await service.check_permission(
tool_name="sql_executor",
auth_context=auth_context,
tenant_id="acme",
)
if decision == PermissionDecision.ALLOWED:
# Execute the tool
result = await tool.execute(params)
else:
raise PermissionDeniedError(f"Tool access denied: {decision}")Caching
Permission decisions are cached in memory with a configurable TTL to avoid repeated graph store lookups:
| Parameter | Default | Description |
|---|---|---|
| Cache size | 10,000 entries | Maximum cached permission decisions |
| TTL | 300 seconds | Time-to-live for cached decisions |
Audit Logging
All permission decisions are logged with structured fields:
{
"event": "tool_permission_check",
"tool": "sql_executor",
"tenant_id": "acme",
"user_id": "user-123",
"decision": "allowed",
"permission_level": "role",
"duration_ms": 2.3
}Integration
| Component | Integration |
|---|---|
| MCP Gateway | Calls permission check before tool dispatch |
| RBAC Checker | Provides role resolution for permission evaluation |
| Context Graph Store | Stores tool permission rules as graph entities |
| Auth Context | Provides user identity and role information |