Permissions that narrow access
A person's identity follows their agent at every step. From the moment they sign in, that identity decides which tools and providers the agent can reach and carries through to every call it makes.
People sign in through your identity provider using SSO and SAML. Every agent starts from a real account instead of a shared login.
The signed-in user defines the access boundary for every agent. From there, policies can narrow what a specific agent may use by tool, provider, action, or session.
Each agent gets a distinct identity and its own allowed actions. Agent identification lets you restrict one agent without changing what the person or other agents can do.
Agents connect to providers through tokenless auth and provider SSO. Work gets done without anyone sharing or storing long-lived keys.
What you control
Manage users, groups, and service accounts together, including inside Portals. Security and IT keep control without slowing teams down.
People sign in through the identity provider your company already uses. Agent access follows existing accounts and offboarding.
Per-user and per-group access policies decide which agents, tools, and providers each person can reach, managed centrally for the whole team.
Agents reach providers without shared credentials, and the identity behind each agent carries through every call.
Portals and Magic MCP are how people connect agents. Access Control is the layer underneath both, deciding who reaches what.
Portals shows each person only the integrations and skills their policies allow.
Every Magic MCP call runs on the user behind it and reaches only the tools their policies allow.
Change a policy once and it applies everywhere: Portals, Magic MCP, and the API.
A unified portal where employees connect agents to approved integrations and skills with company SSO.
One MCP URL that connects an agent to every tool a person is allowed to use, tokenless and fully logged.
Every governed call is recorded with the user behind it. Security can see exactly what happened.
What you can scope
Control who can connect, which systems they reach, and what each agent is allowed to do.
Manage people, the groups imported from your identity provider, and the service accounts agents run as, all governed the same way. Non-human access is never an exception.
Decide which agents can access Metorial, which tools and actions those agents can call, and which providers they can reach. Allow a provider while still blocking specific tools.
Cap what any single agent can do, revoke access at any time, and let offboarding in your identity provider remove agent access the moment someone leaves.
Common questions about Access Control.