Control who can use which agents, tools, and providers

Sign in with company SSO, set policies per user and group, and let agents act on real identity across Portals and Magic MCP.

lumon-industries.metorial.com
The Metorial access console showing users, groups, access policies, and connected identity providers.

Permissions that narrow access

Govern what people and agents can do

A person's identity follows their agent at every step. From the moment they sign in, that identity decides which tools and providers the agent can reach and carries through to every call it makes.

  1. 01

    Sign in with SSO

    People sign in through your identity provider using SSO and SAML. Every agent starts from a real account instead of a shared login.

  2. 02

    Policy starts with identity

    The signed-in user defines the access boundary for every agent. From there, policies can narrow what a specific agent may use by tool, provider, action, or session.

  3. 03

    Define access per agent

    Each agent gets a distinct identity and its own allowed actions. Agent identification lets you restrict one agent without changing what the person or other agents can do.

  4. 04

    Easy access, no tokens

    Agents connect to providers through tokenless auth and provider SSO. Work gets done without anyone sharing or storing long-lived keys.

What you control

Access controls built for agent workflows

Manage users, groups, and service accounts together, including inside Portals. Security and IT keep control without slowing teams down.

SSO and SAML

People sign in through the identity provider your company already uses. Agent access follows existing accounts and offboarding.

  • SSO and SAML sign-in
  • Tied to your identity provider
  • Access follows real accounts

Policies and access control

Per-user and per-group access policies decide which agents, tools, and providers each person can reach, managed centrally for the whole team.

Tokenless auth and provider SSO

Agents reach providers without shared credentials, and the identity behind each agent carries through every call.

One access layer behind every connection

Portals and Magic MCP are how people connect agents. Access Control is the layer underneath both, deciding who reaches what.

  1. Portals only shows what people can use

    Portals shows each person only the integrations and skills their policies allow.

  2. Magic MCP runs on the real identity

    Every Magic MCP call runs on the user behind it and reaches only the tools their policies allow.

  3. One place to manage it all

    Change a policy once and it applies everywhere: Portals, Magic MCP, and the API.

What you can scope

Access defined across who, what, and how

Control who can connect, which systems they reach, and what each agent is allowed to do.

  1. Who

    Users, groups, and service accounts

    Manage people, the groups imported from your identity provider, and the service accounts agents run as, all governed the same way. Non-human access is never an exception.

  2. What

    Agents, tools, and providers

    Decide which agents can access Metorial, which tools and actions those agents can call, and which providers they can reach. Allow a provider while still blocking specific tools.

  3. How

    Per-agent limits and instant revocation

    Cap what any single agent can do, revoke access at any time, and let offboarding in your identity provider remove agent access the moment someone leaves.

Give every team governed access to AI

See how Access Control lets security and IT approve broad AI access while permissions, identity, and credentials stay controlled centrally across Portals, Magic MCP, and the API. Book a demo or get started today.

Frequently asked questions

Common questions about Access Control.

  1. How does Metorial control who can use an agent?
    Metorial applies access policies across users and groups. You decide which agents, tools, and providers each person can reach from one place.
  2. Yes. People sign in through your existing identity provider with SSO and SAML. Agent access follows the accounts your team already uses.
  3. Yes. With identity delegation and agent identification, each agent acts with the identity of the person behind it and never exceeds what that person is allowed to do.
  4. Tokenless auth and provider SSO let agents connect to providers without anyone sharing or storing long-lived keys.
  5. Yes. Manage users, groups, and service accounts together, including inside Portals. Non-human access is governed the same way as people.
  6. Portals is the workforce surface that runs on access control. Each person only sees and connects the integrations and skills their policies allow. The catalog they get is already scoped to what they can use.
  7. Every call through the Magic MCP URL runs on the real identity of the person behind it. Policies decide which tools and providers that link can reach, and an agent can never do more than the person can.

Explore Access Control

See what Access Control can do, in detail.

Policies + Access Control

Governance

Metorial gives you granular, role-based access control over users, agents, and admins, with policies across skills, integrations, and agents, built on your existing identity.

SAML

Identity

SAML lets your people sign in once with your identity provider and access the MCP servers and skills their role allows, fully integrated with Metorial's access control.

Tokenless Auth

Identity

Tokenless auth lets agents and people reach integrations based on identity instead of API keys. There are no secrets to share, rotate, or leak.

SSO for Providers

Identity

SSO for providers lets people reach all the integrations and skills they're allowed to use with one login, without importing tokens or configuration for each one.

Identity + Delegation

Identity

Metorial ties every agent action back to the agent and the person who delegated its access. You can always see who did what on whose behalf, with every grant logged and reversible.

Agent Identification

Identity

Metorial gives each AI agent a unique identity. Every action ties back to a specific agent and the user behind it, and access can be controlled per agent and per session.

Service Accounts

Identity

Service accounts give scripts, pipelines, and backend systems their own governed identity in Metorial, scoped to the right project or environment and fully logged.

Magic MCP Server

Connectivity

Metorial automatically creates a Magic MCP server for each person. A virtual MCP endpoint they paste into their agent. They sign in with SSO once and reach every tool they're allowed to use, with no tokens, no secrets, and no config to manage.