Skip to main content
Configure server-level role-based access control (RBAC) to restrict which users can access which MCP servers based on their group membership.

Prerequisites

How it works

Server RBAC controls access to entire MCP servers based on user group membership. Users must be in an allowed group (or not in a denied group) to access the server.

Understanding the 3-layer policy hierarchy

Golf Gateway uses a 3-layer policy hierarchy where policies at each level can override or inherit from the level above:
LayerWhere ConfiguredScopeInheritance
OrganizationControl Plane > Settings > PoliciesAll gateways & serversBase defaults
GatewayControl Plane > Gateway > PoliciesAll servers on this gatewayNULL = inherit from org
ServerControl Plane > Server > PoliciesSingle MCP serverMost specific
Policy Merge Rules (“Most Restrictive Wins”):
  • Boolean flags (rbac_enabled, scrubbing_enabled): OR logic - if ANY layer enables, it’s enabled
  • Allowed groups: INTERSECTION - user must be in allowed groups at ALL levels
  • Denied groups: UNION - user denied if in denied groups at ANY level
Start with permissive organization defaults and add restrictions at the gateway or server level as needed.

RBAC modes

ModeBehavior
Allow (default)Only users in allowed_groups can access
DenyUsers in denied_groups are blocked, others allowed
When both modes are configured across layers, deny lists are checked first and take precedence.

Configure server RBAC

Organization defaults:
  1. Go to Settings > Policies
  2. Find the Server Access section
  3. Enable RBAC and set default mode (Allow/Deny)
  4. Add default allowed or denied groups
  5. Click Save
Gateway overrides:
  1. Go to Gateways > select a gateway > Policies
  2. Override organization defaults as needed
  3. Click Save
Server-level configuration:
  1. Go to MCP Servers > select a server
  2. Open the Policies tab
  3. Enable the Access policy
  4. Select mode: Allowlist or Denylist
  5. Add groups from your identity provider
  6. Click Save

Configure multiple servers

Different servers can have different access requirements:
Configure each server individually through MCP Servers > server > Policies.

Verify RBAC is working

  1. Authenticate as a user NOT in the allowed groups
  2. Connect your MCP client (Claude Desktop, Cursor, etc.) to the gateway
  3. Try to use any tool from the protected server
  4. Verify you receive an access denied error
  5. Check audit log in Admin Portal > Logs / Sessions

Troubleshooting

  • Access denied unexpectedly: Verify the user’s identity provider groups match at least one of the allowed groups configured in the server’s Access policy
  • Groups not appearing: Verify management API credentials for your identity provider
  • Inherited policy blocking: Check organization and gateway policies - the most restrictive setting wins