Edison Watch
Admin Guide

Access Control

Manage user roles, server access, and fine-grained element permissions.

Edison Watch provides a flexible access control system to manage what users and roles can do with AI tools.

Core Concepts

Access control is built on three pillars:

  1. Roles: Collections of users assigned a specific label (e.g., "Developer", "Support").
  2. Server Enablement: Controls which MCP servers are available to specific users or roles.
  3. Element Enablement and Permissions: Fine-grained control over specific tools, resources, or prompts.

Managing Roles

Go to Roles in the navigation bar to manage role assignments.

Roles tab

Assigning Users to Roles

Use the Role Transfer List to assign users:

  1. Select a role from the list or create a custom one.
  2. The Unassigned column shows users not in this role.
  3. Select users and click the Right Arrow to assign them.
  4. To remove, select users in the Assigned column and click the Left Arrow.
User list

Users can belong to multiple roles. Permissions are additive.

Server Enablements

Control server access at the organization, role, or user level.

Server enablements

Organization Level

In the Servers page, enabling/disabling a server sets the global default. When a server is disabled globally, then by default it will not be visible or accessible to any users or roles. This can be overridden at the role or user level (more on that below).

Server enablements expanded

Fine-Grained Server Access

In the Roles → Server Enablements tab, you can override defaults:

  • Server-to-User View: Select a server to see and change which users/roles have it enabled.
  • User-to-Server View: Select a user/role to see and change which servers are enabled for them.
Server enablements user Server enablements role

Element Enablements

For maximum security, you can control access to specific tools (e.g., only allowing certain roles to use delete_file).

Go to Roles → Element Enablements:

  1. Select a server from the sidebar.
  2. Locate the specific tool, resource, or prompt.
  3. Toggle access for specific users or roles.
Element enablements Element enablements expanded

Fine-Grained Element Access

In the Roles → Element Enablements tab, you can override defaults:

  • Server-to-User View: Select a server to see and change which users/roles have it enabled.
  • User-to-Server View: Select a user/role to see and change which servers are enabled for them.
Element enablements user Element enablements role

Element Permissions

Fine-grained permissions allow you to control the specific actions that users or roles can perform on specific tools, resources, or prompts.

Element permissions Element permissions expanded

Element permissions are evaluated in the following order:

  1. User-specific permissions
  2. Role-specific permissions
  3. Global permissions

Role-specific permissions are evaluate based on the roles' priority. The highest priority role's permissions will be used.

In the Roles → Element Permissions tab, you can override defaults:

  • Server-to-User View: Select a server to see and change which users/roles have it enabled.
  • User-to-Server View: Select a user/role to see and change which servers are enabled for them.
Element permissions user Element permissions role

Need more advanced control? See Policy Rules (CEL) for building complex logic based on tool arguments and user identity.

Previous

Managing Users

Next

Policy Rules (CEL)

On this page