Feature Deep Dive: Role-Based Access Control

By Aanal Raj Basaula

•

3 min read

•

Published on April 11, 2026

Freelancing doesn't mean working alone. Most projects pull in people from different functions — a developer, a finance contact, a support rep.

Your MCP servers are organized by domain. Finance tools on the finance server, support tools on the support server. But roles rarely stay in their lane — a support rep resolving a billing issue needs limited access to financial data. That's where things get complicated.

MCP Express Role-Based Access Control (RBAC) lets you define exactly who can reach what — within the same server, without duplicating tools or splitting infrastructure.

One Server, Different Levels of Access

Without something like RBAC, a shared MCP server is all-or-nothing. Anyone you invite can invoke any tool the server exposes. That's fine for solo work, but it breaks down the moment you're working with a team — especially one with different responsibilities or trust levels.

RBAC solves this by shifting the unit of control from individual users to roles. Instead of managing what each person can do one by one, you define a role, assign it a set of permissions, and invite people into that role. Change the role, and everyone in it gets updated access automatically. It's the same model that powers AWS IAM, Kubernetes, and GitHub teams.

In MCP Express, there are no hardcoded presets. You build each role from scratch around how your team actually operates — not a generic template someone else designed.

Creating a Role

Go to your MCP server's Manage Access tab and create a new role. Give it a name that makes its purpose clear — something like "data viewer" or "support agent" — and an optional description for other admins who'll manage this server later.

The core of a role is its permissions: you select which tools on your MCP server that role is allowed to invoke. An integration can expose many tools, and a given role only gets access to the ones you explicitly grant. A read-only role gets read-type tools. A power user gets the broader set. Nothing else is accessible.

Admins vs. roles Only admins can add new tools to a server. Everyone else — regardless of their role — can only make tool calls within the permissions they've been granted. This keeps your server configuration in your hands, even when you're sharing access with a full team.

Inviting Users

Once roles are defined, invite users to your MCP server and assign a role at the point of invitation. Their access is determined entirely by whatever permissions that role carries — they can invoke the tools it allows and nothing more.

When someone's responsibilities change or they leave the project, you update or remove their role — no untangling what they had access to before. And as your server adds more tools over time, you update the relevant roles rather than rethinking access from scratch.

What each role can and can't do By default, a role can only invoke tools explicitly granted to it. Destructive operations, access to unexposed resources, and tools from other integrations are all off the table unless you specifically enable them for that role.

The Before and After

Take the scenario from the top: a support rep needs to check billing data to resolve a customer issue. Without RBAC, your options are giving them full server access (too much) or setting up a separate server with a separate integration just for them (too slow, and painful to maintain).

With RBAC: you create a "support" role scoped to the specific billing read tools they need, invite them, and move on. When their responsibilities shift next month, you update the role — not their individual permissions. When they leave the project, you remove them in one step.

That flexibility compounds over time. As your server grows and adds more integrations, the roles you defined on day one keep working. You're adjusting a handful of roles, not untangling a sprawl of per-person settings you half-remember configuring six weeks ago.

Try It Now

RBAC is available on all MCP Express plans. If you've already got an MCP server set up, you can add your first role in a few minutes from the Manage Access tab. Free tier, no credit card required.

Set up your first role →

Further Resources:

Documentation — Full configuration options for roles and permissions.
Contact Us — Questions before signing up? Drop us an email.
Open a Support Ticket — Already inside the app and something's not working? Open a ticket directly from your dashboard.

Ready to Connect AI to Your Infrastructure?

Set up an MCP server in minutes and give your AI secure, controlled access to your existing tools — no code, no credit card required.

Try for Free Talk to our team

No credit card required · Setup in under 5 minutes