Hi,
seeing as the MCP connection provides the same access rights as already configured in pigment, is there a way to limit that on the MCP side?
For example - connecting to claude, the client wants the have the same user rights but no one should have write rights. so Admin would see everything, but won’t be able to change anything (data/structure) from Claude.
thanks
Best answer by Luiza
Hi Karin,
At the moment, the MCP connection doesn’t have its own separate permission layer to “downgrade” access on top of existing Pigment rights. MCP tool calls run as the authenticated user and enforce the same Pigment permissions / Data Access Rights as in the product.
So if a user has write permissions in Pigment, they will also be able to perform write actions via Claude/MCP (subject to the usual Pigment constraints like override-enabled metrics, etc.). There isn’t an “MCP-side” toggle to keep the same user identity but block all writes only when using Claude.
If you need Claude usage to be strictly read‑only, use a dedicated “read-only” role/user for MCP access (or remove write permissions for the relevant roles via Data Access Rights). That way, even admins can still see everything they’re allowed to see, but write actions won’t be permitted because the underlying Pigment rights don’t allow them.
Separately, on Enterprise you can govern which MCP clients (Claude/ChatGPT/etc.) are allowed to connect (allowlist/approval), but that controls client access, not read vs write permissions once connected.
Best,
Luiza
+1Hi Karin,
At the moment, the MCP connection doesn’t have its own separate permission layer to “downgrade” access on top of existing Pigment rights. MCP tool calls run as the authenticated user and enforce the same Pigment permissions / Data Access Rights as in the product.
So if a user has write permissions in Pigment, they will also be able to perform write actions via Claude/MCP (subject to the usual Pigment constraints like override-enabled metrics, etc.). There isn’t an “MCP-side” toggle to keep the same user identity but block all writes only when using Claude.
If you need Claude usage to be strictly read‑only, use a dedicated “read-only” role/user for MCP access (or remove write permissions for the relevant roles via Data Access Rights). That way, even admins can still see everything they’re allowed to see, but write actions won’t be permitted because the underlying Pigment rights don’t allow them.
Separately, on Enterprise you can govern which MCP clients (Claude/ChatGPT/etc.) are allowed to connect (allowlist/approval), but that controls client access, not read vs write permissions once connected.
Best,
Luiza
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
