Tool Filtering¶
Tool filtering controls which MCP tools are available to each persona. Rules use wildcard patterns to allow or deny tools by name.
Rule Structure¶
Each persona has allow and deny lists:
tools:
allow:
- "trino_*" # Allow all trino tools
- "datahub_search" # Allow specific tool
deny:
- "*_delete_*" # Deny any tool with delete in name
Evaluation Order¶
- Deny rules are checked first - If a tool matches any deny pattern, it's blocked
- Allow rules are checked second - Tool must match at least one allow pattern
- No match = denied - Tools not matching any allow pattern are blocked
graph TD
A[Tool Request] --> B{Matches Deny?}
B -->|Yes| C[Blocked]
B -->|No| D{Matches Allow?}
D -->|Yes| E[Allowed]
D -->|No| CWildcard Patterns¶
| Pattern | Matches |
|---|---|
* |
Everything |
trino_* |
trino_query, trino_explain, trino_list_tables, etc. |
*_list_* |
trino_list_catalogs, s3_list_buckets, datahub_list_tags, etc. |
datahub_get_* |
datahub_get_entity, datahub_get_schema, etc. |
s3_* |
All S3 tools |
trino_query |
Exact match only |
Wildcards match zero or more characters.
Common Patterns¶
Full Access¶
Read-Only Access¶
tools:
allow:
- "trino_query"
- "trino_explain"
- "trino_list_*"
- "trino_describe_*"
- "datahub_*"
- "s3_list_*"
- "s3_get_*"
deny:
- "s3_put_*"
- "s3_delete_*"
- "s3_copy_*"
Metadata Only (No Queries)¶
tools:
allow:
- "datahub_*"
- "trino_list_*"
- "trino_describe_*"
deny:
- "trino_query"
- "trino_explain"
Data Exploration¶
S3 Read-Only¶
tools:
allow:
- "s3_list_*"
- "s3_get_object"
- "s3_get_object_metadata"
- "s3_presign_url"
deny:
- "s3_put_*"
- "s3_delete_*"
- "s3_copy_*"
Tool Names Reference¶
Use these exact names in your patterns:
Trino Tools:
- trino_query
- trino_explain
- trino_list_catalogs
- trino_list_schemas
- trino_list_tables
- trino_describe_table
- trino_list_connections
DataHub Tools:
- datahub_search
- datahub_get_entity
- datahub_get_schema
- datahub_get_lineage
- datahub_get_queries
- datahub_get_glossary_term
- datahub_list_tags
- datahub_list_domains
- datahub_list_data_products
- datahub_get_data_product
- datahub_list_connections
S3 Tools:
- s3_list_buckets
- s3_list_objects
- s3_get_object
- s3_get_object_metadata
- s3_presign_url
- s3_list_connections
- s3_put_object (if not read-only)
- s3_delete_object (if not read-only)
- s3_copy_object (if not read-only)
Examples¶
Analyst Persona¶
Analysts can query and explore, but not modify:
analyst:
tools:
allow:
- "trino_*"
- "datahub_*"
- "s3_list_*"
- "s3_get_*"
deny:
- "s3_put_*"
- "s3_delete_*"
- "s3_copy_*"
Data Steward Persona¶
Data stewards can view metadata but not execute queries:
data_steward:
tools:
allow:
- "datahub_*"
- "trino_list_*"
- "trino_describe_*"
deny:
- "trino_query"
- "trino_explain"
ETL Service Persona¶
ETL services need full access:
Viewer Persona¶
Viewers can only search and browse:
viewer:
tools:
allow:
- "datahub_search"
- "datahub_get_entity"
- "datahub_list_*"
- "trino_list_*"
deny:
- "trino_query"
- "trino_explain"
- "trino_describe_*"
- "s3_*"
Deny Takes Precedence¶
Deny rules always win over allow rules:
Result: s3_list_buckets ✓, s3_delete_object ✗
Testing Rules¶
To verify your rules work as expected, check which tools are available for each persona:
- Authenticate as a user with the persona's roles
- Ask Claude to list available tools
- Verify the expected tools are present/absent
Or test programmatically by checking the tool filter logic:
filter := persona.NewToolFilter(persona.ToolRules{
Allow: []string{"trino_*"},
Deny: []string{"trino_query"},
})
filter.Allows("trino_list_tables") // true
filter.Allows("trino_query") // false
filter.Allows("datahub_search") // false
Next Steps¶
- Role Mapping - Map roles to personas
- Authentication - Configure user authentication