Edison Watch
Admin Guide

Access Control

Manage user roles, server access, and fine-grained element permissions.

Edison Watch provides a flexible access control system to manage what users and roles can do with AI tools.

Core Concepts

Access control is built on three pillars:

  1. Roles: Collections of users assigned a specific label (e.g., "Developer", "Support").
  2. Server Enablement: Controls which MCP servers are available to specific users or roles.
  3. Element Enablement: Fine-grained control over specific tools, resources, or prompts.

Managing Roles

Go to Roles in the navigation bar to manage role assignments.

Roles tab

Assigning Users to Roles

Use the Role Transfer List to assign users:

  1. Select a role from the list or create a custom one.
  2. The Unassigned column shows users not in this role.
  3. Select users and click the Right Arrow to assign them.
  4. To remove, select users in the Assigned column and click the Left Arrow.

Users can belong to multiple roles. Permissions are additive.

Server Enablements

Control server access at the organization, role, or user level.

Organization Level

In the Servers page, enabling/disabling a server sets the global default.

Fine-Grained Server Access

In the Roles → Server Enablements tab, you can override defaults:

  • Server-to-User View: Select a server to see and change which users/roles have it enabled.
  • User-to-Server View: Select a user/role to see and change which servers are enabled for them.

Element Enablements

For maximum security, you can control access to specific tools (e.g., only allowing certain roles to use delete_file).

Go to Roles → Element Enablements:

  1. Select a server from the sidebar.
  2. Locate the specific tool, resource, or prompt.
  3. Toggle access for specific users or roles.

Policy Rules (CEL)

For complex scenarios, use the Policies tab to define CEL (Common Expression Language) rules.

Rule Structure

  • Scope: Who does this rule apply to? (Global, specific roles, or users).
  • Resource: Which tools/servers does this target?
  • Filter: A CEL expression for precise matching (e.g., tool.args.path.startsWith("/etc/")).
  • Actions: What should happen? (Block, Allow Override, Tag, etc.).

Common Policy Examples

ScenarioCEL ExpressionAction
Block access to /etctool.args.path.startsWith("/etc/")Block
Restricted SSH filestool.args.path.contains(".ssh/")Mark Private
Manager-only deletionsprincipal.roles.exists(r, r == "manager")Allow Override

Priority Matters: Rules are evaluated in order of priority. Higher priority rules match first. Allow Override can be used to permit actions that would otherwise be blocked by global policies.

Need help with CEL syntax? Use the CEL Expression Reference panel inside the policy editor for a list of available fields and examples.

Previous

Managing Users

Next

Configuring Servers

On this page