MCP role-based access control

MCP now enforces the Ada dashboard role on every OAuth-authenticated tool call. Owners and Admins can call every tool, while Agents and Read Only users can call read-only tools only — write tools like propose_change are blocked with a permission error and hidden from the assistant’s tool list. Read Only users can now connect to MCP; previously they were blocked at sign-in.

Learn more in the MCP authentication documentation.