[paulirwin]

One thing that MCP solves well, that neither CLI apps (like the `gh` CLI for example) nor letting your LLM call arbitrary APIs via CURL does, is setting granular permissions per tool.

Most agent frontends I've used like Claude Code only give you one level deep of CLI commands to authorize, which works fine for allowing commands like `docker build:*`. But for complex CLIs like GitHub, Azure, etc. it just doesn't scale well. It is absurd to grant Claude Code permission to `az vm:*` when that includes everything from `az vm show` to `az vm delete`. Likewise, the argument that says that you should just let your LLM call APIs directly via curl or whatever, does not hold up well when Claude Code just wants raw access to all of `curl:*`.

Meanwhile, MCP tools are (currently, at least in CC) managed at the individual tool level, which is very convenient for managing granular permissions.

Perhaps there could be some "CTCP" (CLI tool context protocol; the CCP acronym does not work well) where CLI apps could expose their available tools to the LLM, and it could then be dynamically loaded and managed at a granular level. But until then, I'm going to keep using MCP.

[dfcowell]

This is solved by the agent having its own identity and credentials. Why would you share your login and identity with your AI agent?

Access control and permissions should be handled on the backend by enforcing IAM on well-defined principals, not with MCP middleware. Claude can already bypass MCP and call APIs or use CLIs if it runs into blockers using MCP, so it’s not an effective point to implement the control.

[corlinp]

IAM is generally binary (allowed yes/no) whereas MCP usually supports more nuance (always allow/ask if risky/always ask/no)

[darepublic]

You can have agents that serve multiple different users with varying levels if permission

[toomuchtodo]

Anti-pattern imho. Agents should operate within granular identity and permission scopes, with audit and log trails for all data operations (read, write, etc).

Copilot: https://learn.microsoft.com/en-us/entra/agent-id/identity-pl... | https://learn.microsoft.com/en-us/purview/audit-copilot (for example)

TLDR Maintain an identity boundary whenever possible.

[Imustaskforhelp]

can something of a cli utility be made which can deny any request from moving on, let's name this cli b which takes a user level configuration at say ~/.config or have a way to enter it via cli too or within the context of the folder which it is running in

then we can have "b az vm delete test123" be run via these agents but then b checks if az vm delete command itself is allowed or not, and if it finds that its denied then it gives an error: This command isn't allowed to run.

but if something like b az vm create test123 is done, then the command is allowed to run

Someone must have made an utility similar to b, perhaps someone can share the links of things like this, but what are your thoughts on something like this paul? I definitely feel like convenience can be wrapped around something like this rather than continue to use MCP protocol.

[bizzletk]

Something like this? https://github.com/brycehans/toolgate