> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Up Server RBAC

> Control which users can access which MCP servers based on group membership.

Configure server-level role-based access control (RBAC) to restrict which users can access which MCP servers based on their group membership.

## Prerequisites

<Tabs>
  <Tab title="Control Plane">
    * [Golf Control Plane account](https://app.golf.dev) with Admin role
    * Identity provider configured with group sync enabled ([Configure SSO](/gateway/guides/identity-providers/sso-connections))
    * MCP server registered in Control Plane
  </Tab>

  <Tab title="YAML">
    * Golf Gateway deployed in [Distributed mode](/gateway/guides/getting-started/deploy-hybrid-mode)
    * Identity provider configured in your YAML file
    * Familiarity with the [YAML schema](/gateway/reference/yaml-schema)
  </Tab>
</Tabs>

## How it works

Server RBAC controls access to entire MCP servers based on user group membership. Users must be in an allowed group (or not in a denied group) to access the server.

## Understanding the 3-layer policy hierarchy

Golf Gateway uses a 3-layer policy hierarchy where policies at each level can override or inherit from the level above:

| Layer            | Where Configured                    | Scope                       | Inheritance             |
| ---------------- | ----------------------------------- | --------------------------- | ----------------------- |
| **Organization** | Control Plane > Settings > Policies | All gateways & servers      | Base defaults           |
| **Gateway**      | Control Plane > Gateway > Policies  | All servers on this gateway | NULL = inherit from org |
| **Server**       | Control Plane > Server > Policies   | Single MCP server           | Most specific           |

**Policy Merge Rules ("Most Restrictive Wins"):**

* **Boolean flags** (rbac\_enabled, scrubbing\_enabled): OR logic - if ANY layer enables, it's enabled
* **Allowed groups**: INTERSECTION - user must be in allowed groups at ALL levels
* **Denied groups**: UNION - user denied if in denied groups at ANY level

<Tip>
  Start with permissive organization defaults and add restrictions at the gateway or server level as needed.
</Tip>

## RBAC modes

| Mode                | Behavior                                             |
| ------------------- | ---------------------------------------------------- |
| **Allow** (default) | Only users in `allowed_groups` can access            |
| **Deny**            | Users in `denied_groups` are blocked, others allowed |

When both modes are configured across layers, deny lists are checked first and take precedence.

## Configure server RBAC

<Tabs>
  <Tab title="Control Plane">
    **Organization defaults:**

    1. Go to **Settings** > **Policies**
    2. Find the **Server Access** section
    3. Enable RBAC and set default mode (Allow/Deny)
    4. Add default allowed or denied groups
    5. Click **Save**

    **Gateway overrides:**

    1. Go to **Gateways** > select a gateway > **Policies**
    2. Override organization defaults as needed
    3. Click **Save**

    **Server-level configuration:**

    1. Go to **MCP Servers** > select a server
    2. Open the **Policies** tab
    3. Enable the **Access** policy
    4. Select mode: **Allowlist** or **Denylist**
    5. Add groups from your identity provider
    6. Click **Save**
  </Tab>

  <Tab title="YAML">
    **Gateway-level defaults** (applies to all servers):

    ```yaml theme={null}
    gateway_policy:
      server_rbac:
        rbac_enabled: true
        rbac_mode: allow
        allowed_groups: [gateway-users]
        denied_groups: []
    ```

    **Server-level configuration:**

    Allow mode (users must be in at least one allowed group):

    ```yaml theme={null}
    servers:
      - name: admin-tools
        url: http://localhost:3001
        rbac_enabled: true
        rbac_mode: allow
        allowed_groups:
          - platform-admins
          - devops
    ```

    Deny mode (users must NOT be in any denied group):

    ```yaml theme={null}
    servers:
      - name: general-tools
        url: http://localhost:3002
        rbac_enabled: true
        rbac_mode: deny
        denied_groups:
          - contractors
          - external-users
    ```
  </Tab>
</Tabs>

## Configure multiple servers

Different servers can have different access requirements:

<Tabs>
  <Tab title="Control Plane">
    Configure each server individually through **MCP Servers** > server > **Policies**.
  </Tab>

  <Tab title="YAML">
    ```yaml theme={null}
    servers:
      # Admin-only tools
      - name: admin-dashboard
        url: http://localhost:3001
        rbac_enabled: true
        rbac_mode: allow
        allowed_groups: [admins]

      # Developer tools
      - name: dev-tools
        url: http://localhost:3002
        rbac_enabled: true
        rbac_mode: allow
        allowed_groups: [developers, admins]

      # Public tools (no RBAC)
      - name: public-docs
        url: http://localhost:3003
        rbac_enabled: false
    ```
  </Tab>
</Tabs>

## Verify RBAC is working

1. Authenticate as a user NOT in the allowed groups
2. Connect your MCP client (Claude Desktop, Cursor, etc.) to the gateway
3. Try to use any tool from the protected server
4. Verify you receive an access denied error
5. Check audit log in Admin Portal > **Audit Logs**

## Troubleshooting

* **Access denied unexpectedly**: Verify the user's identity provider groups match at least one of the allowed groups configured in the server's Access policy
* **Groups not appearing**: Verify management API credentials for your identity provider
* **Inherited policy blocking**: Check organization and gateway policies - the most restrictive setting wins

## Related guides

* [Set Up Capability RBAC](/gateway/guides/security/setup-capability-rbac) - Fine-grained tool access
* [Configure SSO](/gateway/guides/identity-providers/sso-connections) - Identity provider setup