# Access Levels

> Control which MCP tools AI agents and team members can call with workspace access levels. Full, restricted, or read-only — applies to all members equally.

Every MCP server in a workspace has an **access level** — a ceiling that controls which tools AI agents and team members can call. It applies to everyone equally: owners, admins, members, and any token issued against the workspace.

## The three levels

### Full — All tools available

No tools are blocked. Every tool the server exposes is available to callers.

**Use when:**
- Your own personal workspace
- Developer workspaces where you fully trust the agent
- Internal bots where you need the complete tool surface

**Example:** A coding assistant that needs to create branches, push files, create PRs, and delete stale branches.

---

### Standard — No destructive tools

Write tools are allowed, but tools flagged as **destructive** (delete, force-push, drop table, fork, etc.) are blocked. Agents can create and update, but they cannot remove.

**Use when:**
- Default choice for team workspaces
- Agents shared with colleagues
- Any workspace where accidental deletions would be painful

**Example:** A project manager bot that creates issues, writes comments, and updates PRs — but cannot delete repositories or branches.

---

### Read-only — Read / list / search only

Only tools marked as read-only are available. No writes of any kind, destructive or not.

**Use when:**
- Public workspace tokens shared with external users
- Customer-facing agents (support, Q&A)
- Research or audit bots that should never modify data
- Demos and sandboxes

**Example:** A knowledge assistant that can search code, list repos, and read files — but cannot create a single issue.

---

## How levels interact with team member roles

The access level is a **server-wide ceiling**. Member roles add another layer on top.

| Role | tools/list | tools/call |
|------|-----------|------------|
| **Owner** | All tools within the access level | Allowed |
| **Admin** | All tools within the access level | Allowed |
| **Member** | All tools within the access level | Allowed |
| **Viewer** | All tools within the access level | **Blocked** — viewers cannot execute any tool |

The key point: **access level wins over role**. If the server is set to Read-only, even an Admin cannot call a write tool. The level is the hard cap; roles only add restrictions on top of it.

---

## How levels interact with tokens

When you issue a workspace token, it inherits the server's access level. You can further restrict a token with its own `allowed_tools` list — but you cannot grant more than the server level allows.

```
Server access level  ← hard ceiling
  └── Token allowed_tools  ← further restriction (optional)
        └── Workspace policies  ← global governance rules
```

---

## Changing the access level

Open your workspace → Settings → expand any MCP server → click the **Full / Standard / Read-only** badge. The change takes effect immediately for all future calls.

The **Tool Permissions** panel below the badge lets you fine-tune individual tools within the selected level — disable specific tools you don't need, or re-enable ones that were blocked by the level preset.

---

## Quick reference

| | Full | Standard | Read-only |
|---|---|---|---|
| Read / list / search tools | ✅ | ✅ | ✅ |
| Write / create / update tools | ✅ | ✅ | ❌ |
| Destructive tools (delete, fork…) | ✅ | ❌ | ❌ |
| Viewers can call tools | ❌ | ❌ | ❌ |
