Enterprise authorization
Enterprise authorization lets cluster admins express MCP access control in familiar terms, without learning a domain-specific policy language.
Namespace owners can grant access to MCP servers they own, so the platform team isn't in the loop on every change.
Where to start
Introduction to enterprise authorization
Express MCP access in RBAC terms and let the operator compile it to Cedar, so role-based authorization scales across an MCP fleet.
Quickstart - GitHub MCP with Entra ID
Pair Microsoft Entra ID with the GitHub MCP server and enforce role-based authorization with a compiled ToolhiveAuthorizationPolicy.
Namespace self-service authorization
Hand authorization authoring to the team that owns the MCPServer, using PlatformRoleBinding inside their own namespace.
CRD reference
For the full field reference of each resource, see ClusterPlatformRole, ClusterPlatformRoleBinding, PlatformRoleBinding, and ToolhiveAuthorizationPolicy.