Tool Filtering¶

Tool filtering controls which MCP tools are available to each persona. Rules use wildcard patterns to allow or deny tools by name.

Two levels of tool filtering

Persona tool filtering (this page) is a security boundary. It controls which tools a user can call via tools/call based on their persona. Unauthorized calls are rejected.

Global tool visibility (configured via the top-level tools: block) is a token optimization. It controls which tools appear in tools/list responses to reduce LLM context usage. It does not block tools/call. See Tool Visibility Configuration for details.

Rule Structure¶

Each persona has allow and deny lists:

tools:
  allow:
    - "trino_*"           # Allow all trino tools
    - "datahub_search"    # Allow specific tool
  deny:
    - "*_delete_*"        # Deny any tool with delete in name

Evaluation Order¶

Deny rules are checked first - If a tool matches any deny pattern, it's blocked
Allow rules are checked second - Tool must match at least one allow pattern
No match = denied - Tools not matching any allow pattern are blocked

graph TD
    A[Tool Request] --> B{Matches Deny?}
    B -->|Yes| C[Blocked]
    B -->|No| D{Matches Allow?}
    D -->|Yes| E[Allowed]
    D -->|No| C

Wildcard Patterns¶

Pattern	Matches
`*`	Everything
`trino_*`	trino_query, trino_execute, trino_explain, trino_browse, etc.
`_list_`	s3_list_buckets, s3_list_objects, trino_list_connections, etc. (does not match `trino_browse` or `datahub_browse`)
`datahub_get_*`	datahub_get_entity, datahub_get_schema, etc.
`s3_*`	All S3 tools
`trino_query`	Exact match only

Wildcards match zero or more characters.

Common Patterns¶

Full Access¶

tools:
  allow: ["*"]
  deny: []

Read-Only Access¶

tools:
  allow:
    - "trino_query"
    - "trino_explain"
    - "trino_browse"
    - "trino_describe_*"
    - "trino_list_connections"
    - "datahub_*"
    - "s3_list_*"
    - "s3_get_*"
  deny:
    - "trino_execute"
    - "s3_put_*"
    - "s3_delete_*"
    - "s3_copy_*"

Metadata Only (No Queries)¶

tools:
  allow:
    - "datahub_*"
    - "trino_browse"
    - "trino_describe_*"
    - "trino_list_connections"
  deny:
    - "trino_query"
    - "trino_execute"
    - "trino_explain"

Data Exploration¶

tools:
  allow:
    - "trino_*"
    - "datahub_search"
    - "datahub_get_*"
  deny:
    - "*_delete_*"

S3 Read-Only¶

tools:
  allow:
    - "s3_list_*"
    - "s3_get_object"
    - "s3_get_object_metadata"
    - "s3_presign_url"
  deny:
    - "s3_put_*"
    - "s3_delete_*"
    - "s3_copy_*"

Tool Names Reference¶

Use these exact names in your patterns:

Trino Tools: - trino_query (read-only) - trino_execute (read-write) - trino_explain - trino_browse - trino_describe_table - trino_list_connections

DataHub Tools: - datahub_search - datahub_get_entity - datahub_get_schema - datahub_get_lineage - datahub_get_queries - datahub_get_glossary_term - datahub_browse - datahub_get_data_product - datahub_create (if not read-only) - datahub_update (if not read-only) - datahub_delete (if not read-only) - datahub_list_connections

S3 Tools: - s3_list_buckets - s3_list_objects - s3_get_object - s3_get_object_metadata - s3_presign_url - s3_list_connections - s3_put_object (if not read-only) - s3_delete_object (if not read-only) - s3_copy_object (if not read-only)

Examples¶

Analyst Persona¶

Analysts can query and explore, but not modify:

analyst:
  tools:
    allow:
      - "trino_*"
      - "datahub_*"
      - "s3_list_*"
      - "s3_get_*"
    deny:
      - "s3_put_*"
      - "s3_delete_*"
      - "s3_copy_*"

Data Steward Persona¶

Data stewards can view metadata but not execute queries:

data_steward:
  tools:
    allow:
      - "datahub_*"
      - "trino_browse"
      - "trino_describe_*"
      - "trino_list_connections"
    deny:
      - "trino_query"
      - "trino_execute"
      - "trino_explain"

ETL Service Persona¶

ETL services need full access:

etl_service:
  tools:
    allow: ["*"]
    deny: []

Viewer Persona¶

Viewers can only search and browse:

viewer:
  tools:
    allow:
      - "datahub_search"
      - "datahub_get_entity"
      - "datahub_browse"
      - "trino_browse"
    deny:
      - "trino_query"
      - "trino_execute"
      - "trino_explain"
      - "trino_describe_*"
      - "s3_*"

Deny Takes Precedence¶

Deny rules always win over allow rules:

tools:
  allow:
    - "s3_*"           # Allow all S3 tools
  deny:
    - "s3_delete_*"    # But deny delete operations

Result: s3_list_buckets ✓, s3_delete_object ✗

Testing Rules¶

To verify your rules work as expected, check which tools are available for each persona:

Authenticate as a user with the persona's roles
Ask Claude to list available tools
Verify the expected tools are present/absent

Or test programmatically by checking the tool filter logic:

filter := persona.NewToolFilter(persona.ToolRules{
    Allow: []string{"trino_*"},
    Deny:  []string{"trino_query"},
})

filter.Allows("trino_browse")         // true
filter.Allows("trino_describe_table") // true
filter.Allows("trino_query")         // false
filter.Allows("datahub_search")      // false

Next Steps¶

Role Mapping - Map roles to personas
Authentication - Configure user authentication