--- title: How To Customize Tool Access Using Roles in Database Tools MCP Servers slug: how-to-customize-tools-using-roles-in-database-tools-mcp-servers date: 2026-05-27T18:34:52-05:00 author: Justin Biard tags: - oci - dbtools - mcp description: The Database Tools MCP server supports role-based access control for tools which allows for users or groups to be granted access to only specific MCP tools. In this example we will look at one way to configure tools with IDCS application roles and what the end-user might see once configured. draft: false --- In this post, I look at using IDCS application roles to restrict access to model context protocol (MCP) tools created using the Oracle Cloud Infrastructure (OCI) Database Tools MCP server. Role configuration must be completed in two places, and we will look at both in this post. I will also show the practical impact for end users of your MCP servers. ## IDCS Background Information A Database Tools MCP server is integrated with an IDCS domain in OCI. If you are already familiar with the concepts, feel free to skip ahead a little. One thing that happens when you create a new Database Tools MCP server is that an "Oracle cloud service" is registered in the chosen IDCS domain. For example, here I navigated to: - `Identity & Security` > `Domains` > `[some domain]` > `Oracle cloud services` ![](https://icodealot.com/img/fbf65338/idcs-cloud-services-mcp-server.png) *Example of IDCS Oracle cloud services for an MCP server.* If you don't have an MCP server created yet, you can get started by following along with this tutorial: - https://docs.oracle.com/en-us/iaas/database-tools/doc/tutorial.html It is important to understand that a domain allows IDCS domain administrators to define groups and users that *may* be granted application roles for a given Oracle cloud service. In our case, the "cloud service" happens to be an MCP server, as shown above. Here I show the application roles for the MCP server used in this demo. ![](https://icodealot.com/img/fbf65338/idcs-application-roles.png) *Example of built-in and custom IDCS application roles.* I see three built-in roles created by the Database Tools MCP server (`MCP_Administrator`, `MCP_Operator`, and `MCP_User`), and I see two custom roles created when the MCP server was configured, namely `MCP_Finance_Users` and `MCP_HR_Users`. > I will use these custom roles to demonstrate the effect of granting specific roles access to specific tools in the sections below. For the purpose of this demo I also have domain users created that represent a user that will be granted each role separately. > Note, application roles in IDCS can be assigned at the user or group level. Given the roles in the screenshot above, if you click on the ellipses next to a role you can "manage users" or "manage groups". Here is an example of the users assigned to the `MCP_HR_Users` role in an IDCS domain. Notice that a "Demo Finance" user is not listed, only the "Demo HR" user and some other administrator. ![](https://icodealot.com/img/fbf65338/idcs-domain-assigned-roles.png) *Example of users assigned to an IDCS application role.* ## MCP Server Role Configuration To create custom roles for a Database Tools MCP server that can later be assigned in your IDCS domain, navigate to: - `Developer Services` > `Model Context Protocol Servers` > `[mcp server]` > `Roles` > `Add custom roles` A dialogue will open to allow you to create a new IDCS application role for your MCP server (i.e. the Oracle cloud service bits described above). You must enter a name and a description for the role. In this example I configured only two custom roles which were then added to my IDCS domain. ![](https://icodealot.com/img/fbf65338/mcp-demo-custom-roles.png) *Example of Database Tools MCP server custom roles.* ## MCP Toolset Configuration A Database Tools MCP toolset allows MCP administrators to define the core functionality of a given MCP server. For this example I created a "Customizable reporting tools" toolset. ![](https://icodealot.com/img/fbf65338/mcp-demo-toolset-top-level.png) *Example of a "Customizable reporting tools" toolset.* Notice I granted both roles (`MCP_Finance_Users` and `MCP_HR_Users`) access to the **built-in tools**. This means when a user in my domain configures the MCP server, their MCP client (Codex, Claude, Cline, etc.) can call these built-in tools `report_list`, `report_sql`, or `report_execute` . For more information on the built-in tools, check out the documentation: - https://docs.oracle.com/en-us/iaas/database-tools/doc/prebuilt-and-custom-tools.html ## IDCS Role to Tool Configuration Now for the fun part! The fine-grained IDCS role to MCP tool assignment will happen at the SQL report level. At a high level, we grant different roles access to different SQL reports (tools). I created five SQL reports appropriate for different departments. I then assigned Finance roles access to some reports and HR roles access to others. ![](https://icodealot.com/img/fbf65338/mcp-tool-roles-example.png) *Example of roles assigned to specific SQL reports in a toolset.* Keep in mind this is what the MCP administrator will see in the OCI console. The end user of an MCP server need only know how to configure the MCP server. The rest will be transparent. So how do we actually assign roles to a specific SQL report? There are generally two ways to accomplish this task. First, when adding a new SQL report to a toolset, the administrator is able to select which IDCS application roles are allowed to use a given SQL report. ![](https://icodealot.com/img/fbf65338/mcp-new-sqlreport-roles-example.png) *Example of selecting roles for a new SQL report in a toolset.* Alternatively, an MCP administrator can `Edit` an existing toolset to add or remove IDCS roles for a given SQL report (or custom tool). ![](https://icodealot.com/img/fbf65338/mcp-edit-toolset-roles.png) *Example of editing an MCP toolset to modify the assigned roles.* The impact of this role assignment means that when a user with the given role assigned in IDCS is calling the MCP server, they will see (and have authorization to use) a different set of SQL reporting tools. ## The Final Result Given everything we have learned up to this point: - A Database Tools MCP server is configured with custom roles for an IDCS domain - The IDCS domain has users or groups assigned to various roles in `Oracle cloud services` > `[mcp application]` > `Application Roles` - A toolset has SQL reports (or custom tools) configured to allow different IDCS roles The end user of our MCP server will have a role-based experience. > Note, it is possible, but not necessary, to create multiple MCP servers or multiple toolsets to achieve this separation of concern. However, I find the IDCS role-based solution to be a bit more elegant and flexible overall. When a finance user configures the MCP server, they may ask their MCP client (Codex, Claude, etc.) something like "which reports can I run?" The LLM ***should*** call the built-in MCP tool to list the available reports, which would be customized given the user's assigned IDCS roles. ![](https://icodealot.com/img/fbf65338/mcp-demo-finance-user-list-reports.png) *Example of a user with MCP_Finance_User IDCS role using a toolset.* And what about the HR user, you ask? Well, here you go: ![](https://icodealot.com/img/fbf65338/mcp-demo-hr-user-list-reports.png) *Example of a user with MCP_HR_User IDCS role using a toolset.* Ah, very cool. Each user has access to a role-based list of SQL reports (or tools) using the exact same MCP server and the exact same toolset. Success! Finally, maybe just a quick plug for the customizable SQL reporting tools, here is a preview of a report in action. The HR user asked the LLM to "get the details for Information Technology". In response, the LLM figured out which SQL report to run, what parameters are supported, and then passed the department as input to the report to be executed. ![](https://icodealot.com/img/fbf65338/mcp-demo-running-report.png)*Example of an LLM running a parameterized SQL report.* And that is all I wanted to show off in this post. Thank you for reading and following along. I hope you find this to be useful as you continue your exploration of the Database Tools MCP server. > **Note, all of the above was achieved using an always-free tenancy in OCI at the time of this writing.** I encourage you to sign up for an account if you don't already have one so you can begin exploring the Database Tools features in OCI. Until next time... Cheers!