[Feature Request]: ABAC Virtual Server SupportΒ #706
Description
π§ Type of Feature
Please select the most appropriate category:
- Enhancement to existing functionality
- New feature or capability
- New MCP-compliant server
- New component or integration
- Developer tooling or test improvement
- Packaging, automation and deployment (ex: pypi, docker, quay.io, kubernetes, terraform)
- Other (please describe below)
π§ Epic
Title: ABAC Controls for Virtual Server Access
Goal: Enable fine-grained, role-based access to MCP virtual servers and their tools using ABAC principles.
Why now: As organizations scale, secure and flexible access control is critical. This feature allows MCP clients to access only the virtual servers and tools they are authorized for, improving security and compliance.
πββοΈ User Story 1
As a: Platform administrator
I want: to define which roles can access specific MCP virtual servers
So that: only authorized clients can see and use the tools on those servers
β Acceptance Criteria
gherkin
Scenario: Client with authorized role accesses a virtual server
Given an MCP client registers with a valid API key and a role header
And the role matches the allowed roles for a virtual server
When the client requests access to the virtual server
Then access is granted and available tools are listed
Scenario: Client with unauthorized role attempts access
Given an MCP client registers with a valid API key and a role header
And the role does not match the allowed roles for a virtual server
When the client requests access to the virtual server
Then access is denied
πββοΈ User Story 2
As a: MCP client developer
I want: to specify my role when registering to the MCP server
So that: I can access only the virtual servers and tools permitted for my role
β Acceptance Criteria
gherkin
Scenario: Client specifies role in registration
Given a client includes a role header in the registration request
When the role matches a virtual server's allowed roles
Then the client can interact with that server's tools
π Design Sketch (optional)
flowchart TD
A[Client] -- API Key + Role Header --> B(MCP Server)
B -- Role matches --> C[Virtual Server Access Granted]
B -- Role does not match --> D[Access Denied]
π MCP Standards Check
- Change adheres to current MCP specifications
- No breaking changes to existing MCP-compliant integrations
- If deviations exist, please describe them below:
π Alternatives Considered
- Relying solely on API key authentication (less flexible, not role-aware)
- Implementing RBAC instead of ABAC (less granular, harder to extend for attributes beyond roles)
π Additional Context
- Related to security and compliance requirements for multi-tenant environments
- See also: Attribute-based access control (ABAC) overview
- Discussion: #security, #access-control