Access Levels
Every MCP server in a workspace has an access level — a ceiling that controls which tools AI agents and team members can call. It applies to everyone equally: owners, admins, members, and any token issued against the workspace.
The three levels
Full — All tools available
No tools are blocked. Every tool the server exposes is available to callers.
Use when:
- Your own personal workspace
- Developer workspaces where you fully trust the agent
- Internal bots where you need the complete tool surface
Example: A coding assistant that needs to create branches, push files, create PRs, and delete stale branches.
Standard — No destructive tools
Write tools are allowed, but tools flagged as destructive (delete, force-push, drop table, fork, etc.) are blocked. Agents can create and update, but they cannot remove.
Use when:
- Default choice for team workspaces
- Agents shared with colleagues
- Any workspace where accidental deletions would be painful
Example: A project manager bot that creates issues, writes comments, and updates PRs — but cannot delete repositories or branches.
Read-only — Read / list / search only
Only tools marked as read-only are available. No writes of any kind, destructive or not.
Use when:
- Public workspace tokens shared with external users
- Customer-facing agents (support, Q&A)
- Research or audit bots that should never modify data
- Demos and sandboxes
Example: A knowledge assistant that can search code, list repos, and read files — but cannot create a single issue.
How levels interact with team member roles
The access level is a server-wide ceiling. Member roles add another layer on top.
| Role | tools/list | tools/call |
|---|---|---|
| Owner | All tools within the access level | Allowed |
| Admin | All tools within the access level | Allowed |
| Member | All tools within the access level | Allowed |
| Viewer | All tools within the access level | Blocked — viewers cannot execute any tool |
The key point: access level wins over role. If the server is set to Read-only, even an Admin cannot call a write tool. The level is the hard cap; roles only add restrictions on top of it.
How levels interact with tokens
When you issue a workspace token, it inherits the server’s access level. You can further restrict a token with its own allowed_tools list — but you cannot grant more than the server level allows.
Server access level ← hard ceiling
└── Token allowed_tools ← further restriction (optional)
└── Workspace policies ← global governance rulesChanging the access level
Open your workspace → Settings → expand any MCP server → click the Full / Standard / Read-only badge. The change takes effect immediately for all future calls.
The Tool Permissions panel below the badge lets you fine-tune individual tools within the selected level — disable specific tools you don’t need, or re-enable ones that were blocked by the level preset.
Quick reference
| Full | Standard | Read-only | |
|---|---|---|---|
| Read / list / search tools | ✅ | ✅ | ✅ |
| Write / create / update tools | ✅ | ✅ | ❌ |
| Destructive tools (delete, fork…) | ✅ | ❌ | ❌ |
| Viewers can call tools | ❌ | ❌ | ❌ |