Platform
ScaiWave ScaiGrid ScaiCore ScaiBot ScaiDrive ScaiKey Models Tools & Services
Solutions
Organisations Developers Internet Service Providers Managed Service Providers AI-in-a-Box
Resources
Support Documentation Blog Downloads
Company
About Research Careers Investment Opportunities Contact
Log in

Permissions

ScaiLink declares seven module-permission keys. Four cover the desktop bridge; three cover the cloud MCP registry and are default-deny for non-admin roles so tenant admins can scope the feature explicitly.

Permission keys#

Key What it grants
scailink:view See ScaiLink dashboard, list sessions and capabilities, view the cloud registry.
scailink:invoke Invoke tools, read resources, and get prompts on connected desktop clients.
scailink:manage Manage session policies, list every active session in the tenant.
scailink:audit Read the audit log (tenant-wide and per-user).
scailink:remote.use Discover and invoke tools from registered cloud MCP servers. Without it, the caller sees nothing in the cloud registry.
scailink:remote.manage_own Register, rotate, and delete personal cloud MCP servers.
scailink:remote.manage_tenant Register, edit, and delete tenant-shared cloud MCP servers.

Default role mapping#

The built-in admin roles auto-grant every ScaiLink permission via ScaiGrid's module-permission catch-all in CurrentUser.has_module_permission:

Role Auto-grants
super_admin All of the above.
partner_admin All of the above for tenants under the partner.
tenant_admin All of the above for the tenant.
tenant_user None by default.
tenant_viewer None by default.

The cloud registry is deliberately default-deny for tenant_user and tenant_viewer — the feature stores third-party credentials and bills outbound traffic, so opt-in via custom roles is the right posture.

Enabling cloud MCP for a group#

Tenant admins enable the feature for a subset of users by creating a custom role and assigning it to a group.

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
curl -X POST "$SCAIGRID_HOST/v1/iam/custom-roles" \
  -H "Authorization: Bearer $SCAIGRID_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Cloud MCP user",
    "module_permissions": [
      "scailink:view",
      "scailink:remote.use",
      "scailink:remote.manage_own"
    ]
  }'

Map a group to that role through the existing group-roles UI. Group members can now register personal servers and invoke registered tools.

To restrict tenant-shared registration to a single sysadmin, grant scailink:remote.manage_tenant directly via the user-module-permissions surface — leave the custom role at use + manage_own for everyone else. To revoke cloud MCP for a group, drop the keys from their effective role.

Audit#

Every permission-gated call is logged with actor_user_id, action, target_name, status, and duration_ms. ScaiGrid's standard audit log query supports filtering by module=scailink:

bash
1
2
curl "$SCAIGRID_HOST/v1/audit/events?module=scailink&since=2026-05-01" \
  -H "Authorization: Bearer $SCAIGRID_API_KEY"

The module's own audit endpoints (GET /v1/modules/scailink/audit, GET /v1/modules/scailink/users/{id}/audit) expose the same events filtered to ScaiLink-specific actions plus detail-level controls inherited from the desktop client's session_init settings.

Updated 2026-05-18 15:01:30 View source (.md) rev 12