Roles & Access Control
5 min read
MCP Hub implements a Role-Based Access Control (RBAC) model that governs who can perform which actions across the platform. The system operates at three independent levels: user plans, organization roles, and platform roles.
RBAC Architecture
MCP Hub has three independent systems of access control:
1. User Plans (Individual Level)
Every registered user has a plan that determines their feature access:
| Plan | Key Capabilities |
|---|---|
| Free | Public catalog, basic scoring, 5 public MCPs, 30 downloads/min |
| PRO | Private repos, full analysis, API access, 50 MCPs, 300 downloads/min |
| Enterprise | Organizations, RBAC, policies, unlimited everything |
2. Organization Roles (Team Level)
Within an Enterprise organization, each member has a role that determines their permissions for organization resources:
| Role | Level | Description |
|---|---|---|
| Owner | 40 | Full control including billing and deletion |
| Admin | 30 | Full management except billing and org deletion |
| Member | 20 | Day-to-day operations, publish and update MCPs |
| Viewer | 10 | Read-only access to organization resources |
3. Platform Roles (System Level)
Platform administrators have system-wide privileges independent of organization membership:
| Role | Description |
|---|---|
| Platform Admin | Full platform administration across all organizations |
| Moderator | Content moderation capabilities (planned) |
Organization Roles in Detail
Owner
The Owner is the creator of the organization and has unrestricted access. There can be only one Owner per organization.
Capabilities:
- All Admin capabilities, plus:
- Delete the organization
- Manage billing and subscription plan
- Transfer ownership to another member
- Assign or revoke the Admin role
Restrictions: The Owner cannot be removed by anyone other than themselves (via ownership transfer).
Admin
Admins handle the operational management of the organization, including member management, policy configuration, and security oversight.
Capabilities:
- Invite and remove members
- Change member roles (up to Member level; cannot assign Owner)
- Create, update, and delete governance policies
- Create and revoke service tokens for CI/CD
- View complete audit logs
- Generate PDF compliance reports
- Configure SSO settings
- Manage organization settings
Restrictions: Cannot delete the organization, manage billing, or change the Owner’s role.
Member
Members are the active contributors who publish and maintain MCP servers within the organization.
Capabilities:
- Publish MCPs under the organization namespace
- Update their own MCPs
- Download any MCP in the organization (not subject to allow/deny policies)
- View security snapshots and version details
- Export MCP data (JSON/CSV)
- View organization policies and members
Restrictions: Cannot manage policies, invite members, change roles, create service tokens, or view audit logs.
Viewer
Viewers have read-only access, suitable for stakeholders, external auditors, and compliance reviewers.
Capabilities:
- View MCPs in the organization
- View configured policies
- View organization members
- Download MCPs that are allowed by governance policies
- View compliance reports and usage statistics
Restrictions: Cannot publish MCPs, modify any settings, export data, or view audit logs. Downloads are subject to active governance policies.
Permissions Matrix
Organization-Level Permissions
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View MCPs | Yes | Yes | Yes | Yes |
| Publish MCPs | Yes | Yes | Yes | No |
| Download MCPs | Yes | Yes | Yes | Policy-gated |
| Export data | Yes | Yes | Yes | No |
| View policies | Yes | Yes | Yes | Yes |
| Create/edit policies | Yes | Yes | No | No |
| View members | Yes | Yes | Yes | Yes |
| Invite members | Yes | Yes | No | No |
| Remove members | Yes | Yes | No | No |
| Change member roles | Yes | Partial | No | No |
| View service tokens | Yes | Yes | Yes | No |
| Create service tokens | Yes | Yes | No | No |
| Revoke service tokens | Yes | Yes | No | No |
| View audit logs | Yes | Yes | No | No |
| Generate PDF reports | Yes | Yes | No | No |
| Configure SSO | Yes | Yes | No | No |
| Manage billing | Yes | No | No | No |
| Delete organization | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
Plan-Level Permissions
| Feature | Free | PRO | Enterprise |
|---|---|---|---|
| Public MCPs | 5 | 50 | Unlimited |
| Private MCPs | 0 | 20 | Unlimited |
| Downloads/min | 30 | 300 | Unlimited |
| Watchlist items | 10 | 100 | Unlimited |
| Registry tokens | 3 | 10 | Unlimited |
| Export JSON/CSV | No | Yes | Yes |
| REST API access | No | Yes | Yes |
| Create organizations | No | No | Yes |
| Governance policies | No | No | Yes |
| CI/CD gating | No | No | Yes |
| PDF reports | No | No | Yes |
| Dedicated subdomain | No | No | Yes |
| Audit logging | No | No | Yes |
| SSO integration | No | No | Yes |
Role Hierarchy Rules
Role assignment follows a strict hierarchy:
- You can only assign roles below your level: An Admin can assign Member or Viewer, but not Owner or Admin.
- You can only modify users below your level: An Admin cannot change another Admin’s role.
- You cannot remove users at or above your level: A Member cannot remove another Member.
- The Owner is protected: Only the Owner can transfer ownership, and nobody can remove the Owner.
Area Roles
Within Enterprise organizations, areas (namespaces) have their own independent role system. See Areas & Namespaces for details.
Key points about area roles:
- Area roles are independent of organization roles.
- An organization Member can be an area Owner.
- Organization Owners and Admins have implicit access to all areas.
- Area roles control access to MCPs assigned to that area.
Platform Administration
Platform administrators are configured via the ADMIN_USERS environment variable – a comma-separated list of email addresses:
ADMIN_USERS=[email protected],[email protected]
Platform admin status is automatically assigned when the user logs in. Platform roles are orthogonal to organization roles: a platform admin can also be an organization Member.
Platform admins can:
- View and manage all users across the platform
- Suspend and activate user accounts
- Change user plans
- View and manage all organizations
- Suspend and delete organizations
- View all MCPs (public and private)
- Delete MCPs that violate terms of service
- Feature MCPs in the public catalog
- View global audit logs and platform statistics
Platform admins cannot:
- Access Stripe billing details directly (billing is managed through Stripe)
- Modify MCP source code
- View user passwords or raw tokens
- Impersonate users
Configuring Access
Inviting Members
Organization Owners and Admins invite new members by email:
POST /api/v1/orgs/{orgId}/users/invite
{
"email": "[email protected]",
"role": "MEMBER"
}
Invitations expire after 7 days.
Changing Roles
Owners and Admins can modify member roles:
PATCH /api/v1/orgs/{orgId}/members/{userId}/role
{
"role": "ADMIN"
}
Creating Service Tokens
For CI/CD integration, create scoped service tokens:
POST /api/v1/orgs/{orgId}/tokens
{
"name": "GitHub Actions Token",
"scopes": ["read:org:acme", "ci:org:acme"],
"expires_in_days": 365
}
Service tokens support fine-grained scopes: read:public, read:org:*, ci:org:*, admin:org:*.
Audit Trail
All access control operations are recorded in the organization audit log:
member.invited– A new member was invitedmember.joined– An invitation was acceptedmember.removed– A member was removedmember.role_changed– A member’s role was modifiedtoken.created– A new service token was createdtoken.revoked– A service token was revoked
These events include the actor (who performed the action), the target (who was affected), timestamp, and IP address.