The complete reference of MCP Manager capabilities — every permission you can grant to a role, grouped by area (Identities, Servers, Gateways, Hosts, People, Workspace settings, Logging, Alerting, Reporting, Integrations) — and exactly what each one allows.
Use this file to discover all available pages before exploring further.
A capability in MCP Manager is a single, granular permission — the smallest unit of “what a user is allowed to do.” Capabilities are never assigned to users directly; instead they are bundled into roles, and each user holds exactly one role. This page is the complete reference of every capability, grouped exactly as they appear in the product.
Granting and revoking capabilities is itself governed by the Manage people capability. You edit a role’s capabilities under the Capabilities tab when managing a role in People. If you can’t reach role management, your role doesn’t have Manage people — access is governed by capabilities, not by any fixed role name.
Capabilities are granted per role. Under People, open a role and use its Capabilities tab to toggle each permission on or off; every user assigned that role inherits the result. The built-in Super admin role always holds every capability and its toggles are locked on; the Administrator and Member roles, and any custom role, have fully editable capabilities. See Roles for how roles are assigned and edited.
Capabilities define what you can do; teams define which gateways you can do it to. Most capabilities act only on the resources your team membership already grants you. A separate family of “view all” capabilities — View and use all gateways, View all servers, View all identities, See all alerts — overrides that team scoping for its resource type. See How team scoping interacts with capabilities.
Identity capabilities govern the credentials users connect to downstream MCP servers. Personal identity management — managing your own identities — is always available to every user and is not gated by a capability.
Capability
What it allows
Identity management
This includes updating identity availability, disabling and enabling identities, and deleting identities created by others. Personal identity management is always enabled.
View all identities
Access all identities in this workspace regardless of who created them.
View all identities is a governance-preview capability, not an impersonation grant
View all identities lets an administrator see every identity in the workspace, including the private identities created by other users, regardless of who created them. Critically, it does not let the holder use another person’s private identity. A private identity is never selectable for assignment by anyone other than its owner, even with this capability — an identity can only be used by others if its owner has made it shared (globally available) rather than personal.What the capability provides is a read-only preview: an administrator can see which identities exist and preview what tools and access a given user’s identity would expose. This is an instrumental tool for building governance policies — understanding what different users and their identities can reach — without granting the ability to act as those users. For the concepts behind identities and shared-versus-personal availability, see Authentication & Identity.
Server capabilities govern MCP servers and server instances — adding them, editing them, enabling or disabling them, deleting them, and creating managed and workstation server instances.
Capability
What it allows
Basic server management
This includes adding remote servers, editing remote server names, and creating remote server identities via authentication.
Disable and enable servers
Disable and enable servers in this workspace.
Delete servers
Delete servers from this workspace.
Manage feature provisioning settings
Manage the provisioning settings for features on servers in this workspace.
View all servers
View all servers and server instances in this workspace regardless of access.
Create managed server instances
This includes deploying new server instances, and editing server instance names.
Create and configure managed and workstation servers
This includes creating new managed and workstation servers, editing their names, editing default template configurations, updating server instance permissions, and setting and updating tunnel schemes.
Create workstation instances
This includes deploying new workstation instances, and editing workstation instance names. This includes deploying new workstation instances, and editing workstation instance names.
Like gateways, servers are scoped by access: View all servers overrides that scoping so the holder sees every server and server instance in the workspace regardless of access. Create workstation instances is reserved for an upcoming feature and is not yet active.
Gateway capabilities govern creating and configuring gateways, provisioning them to teams, and archiving them.
Capability
What it allows
Basic gateway management
This includes creating gateways, editing gateway names, disabling and enabling gateways, assigning servers to gateways, changing identity scheme (“shared” or “personal”), disabling and enabling assigned servers, and revoking assigned servers from gateways.
View and use all gateways
View and use all gateways on any team in this workspace.
Manage team-gateway provisioning
This includes creating and revoking team gateway provisions.
Archive and view archived gateways
Archive gateways to hide them from default views without deleting. This also controls the ability to unarchive them. Archived gateways are automatically disabled.
Basic gateway management acts only on gateways you can reach
Basic gateway management grants the actions — creating gateways, renaming them, enabling and disabling them, assigning and revoking servers. It does not, by itself, widen which gateways those actions apply to. A user with this capability can manage only the gateways their team membership provisions to them. To act on gateways across the whole workspace regardless of team, a role also needs View and use all gateways (below). Manage team-gateway provisioning is the separate capability for granting and revoking a team’s access to a gateway.
Host capabilities govern the apps and agents that connect to your gateways — the API tokens and OAuth connections that link a host to a gateway, and enabling, disabling, or deleting hosts.
Capability
What it allows
Create and manage API tokens (including copy & download)
This includes generating/copying/downloading API access tokens, editing token-based host names, disabling and enabling hosts, and deleting hosts.
Authenticate via OAuth
Establish connections between hosts and gateways via OAuth.
Disable and enable connections
Disable and enable connections between hosts and gateways.
People capabilities govern user, role, and team administration and SSO/SCIM mapping.
Capability
What it allows
Invite users
This includes inviting users to the role and any team that the inviter has access to.
Manage people
Create, duplicate, and edit roles and teams; assign roles and teams to users; deactivate users; and see all teams (see below).
Manage SSO/SCIM mapping
Configure how IDP groups (e.g. Okta) map to MCP Manager teams and edit workspace-level SSO settings, including the default team for SCIM-provisioned users.
Manage people is a broad administrative capability
Manage people is the single capability behind most user, role, and team administration. It includes creating and duplicating roles, editing role names and icons, editing role capabilities, and deleting roles that have no assigned users. It also includes creating teams, editing team names, enabling and disabling teams, and deleting teams. It further includes updating user role assignments, creating and revoking user team assignments, and deactivating users to remove their access to the workspace — and it grants the ability to see all teams in the workspace. Because it is far-reaching, grant Manage people only to roles that should administer the workspace.
Manage SSO/SCIM mapping controls more than buttons: the SSO/SCIM settings page itself is gated by this capability. A user whose role lacks it cannot open that page even by direct link — they are redirected away. See SSO and SCIM.
Logging capabilities govern viewing and exporting logs and configuring the OpenTelemetry collector that forwards them.
Capability
What it allows
View and export logs
View and export logs for hosts, gateways, and servers that you have access to.
Manage OpenTelemetry collector
Configure, edit, and remove the OpenTelemetry collector used to forward logs.
View and export logs is scoped to the resources you can already reach: it lets you view and export logs only for the hosts, gateways, and servers your team membership grants you access to — it is not a workspace-wide “view every log” grant. Manage OpenTelemetry collector governs the collector used to forward logs to an external destination; see Export to SIEM.
See all alerts overrides the default team-based scoping of alerts so the holder sees every alert in the workspace rather than only those tied to resources they can reach.
View reports for hosts, gateways, servers, and more…
View reports controls the Reporting page end to end: with it, the Reporting link appears in the left-hand navigation and every chart is available; without it, the link is hidden and the page is unavailable.
Configure, edit, and remove integrations such as rule engines, including custom providers and built-in engines.
Manage integrations governs the rule engines and other integrations attached to your gateways — configuring them, editing them, and removing them, for both built-in engines and custom providers.
Most capabilities are bounded by team membership: they let you act only on the gateways (and the servers, hosts, logs, and alerts behind them) that your teams provision to you. A handful of capabilities are deliberately designed to override that scoping for administrators who need a workspace-wide view:
View and use all gateways — see and use every gateway on any team, bypassing team provisioning entirely.
View all servers — see every server and server instance regardless of access.
View all identities — see every identity regardless of creator (read-only preview; it does not let you use another user’s private identity).
See all alerts — see every alert in the workspace.
If you grant one of these “view all” capabilities, remember that you are removing the team boundary for that resource type. For most users, leave them off and rely on team membership to scope access; reserve them for administrative roles. For how team access itself is granted, disabled, and resolved, see Teams.
.png?fit=max&auto=format&n=gKqTvJPtsRi2bLNx&q=85&s=8abbce3efb590630de2102c43d32aadf)
.png?fit=max&auto=format&n=Dy9YsIECUbR9JZiT&q=85&s=a1f404cd7f7aeb1727c89d81137ae1ac)