Skip to main content

Teams

Teams let you control who can access which MCP servers and Agent Personas. Instead of managing access user by user, you map your existing SSO groups to teams in the AI Gateway — and access is granted automatically when people log in.

Quick Start: What do you want to do?

I want to...Jump to
Understand how teams workHow It Works
Create my first teamCreating a Team
Control which MCP servers a team can useAssigning MCP Servers
Control which Agent Personas a team can useAssigning Agent Personas
Set up my IdP to send group claimsSetting Up Your Identity Provider

How It Works

There are three simple ideas behind teams:

  1. Teams map to your SSO groups. When you create a team, you enter the SSO group names from your identity provider (Microsoft Entra, Google Workspace, Okta, etc.). When a user logs in, the gateway checks their group memberships and automatically puts them in the right teams.

  2. You assign resources to teams. Each team gets access to specific MCP servers and Agent Personas. A user in the "Engineering" team sees only the MCP servers and personas assigned to Engineering.

  3. Unassigned resources are public. If an MCP server or Agent Persona has no teams assigned, every authenticated user can see and use it. You only need teams for resources you want to restrict.

What does this look like in practice?

What you haveWho sees it
An MCP server with no teams assignedEveryone
An MCP server assigned to EngineeringOnly Engineering team members
An MCP server assigned to Engineering and DesignEngineering or Design team members
An Agent Persona assigned to SecurityOnly Security team members

Admins always see everything. Users with Super Admin, Tenant Admin, Platform Operator, Security Admin, or Network Admin roles bypass team restrictions entirely.

Creating a Team

  1. Go to AccessTeams in the sidebar.
  2. Click Create Team.

A dialog opens with three fields:

FieldRequiredWhat to enter
Team NameYesA clear name — e.g., "Engineering", "Sales", "Security Ops"
DescriptionNoWhat this team is for (helps others understand its purpose)
SSO GroupsYesThe exact group name(s) from your identity provider. Type a name and press Enter to add it. You can add multiple groups — users matching any of them join this team.

Click Create. The team is live immediately.

Where do I find my SSO group names?

The group name you enter must match exactly what your identity provider sends in the login token. Here's where to look:

Identity ProviderWhere to find group names
Microsoft Entra IDAzure Portal → Entra ID → Groups → copy the group's Display Name or Object ID
Google WorkspaceGoogle Admin Console → Groups → use the group's email address (e.g., engineering@company.com)
OktaOkta Admin Console → Directory → Groups → use the Group Name

If you're unsure, ask your IT team which group claim value your IdP sends. See the IdP setup guides for detailed configuration steps.

Assigning MCP Servers

Once a team exists, you decide which MCP servers its members can access. There are two ways to do this:

From the team

  1. Go to AccessTeams.
  2. Click the team name.
  3. Go to the MCP Servers tab.
  4. Click Assign Servers.
  5. Select the MCP servers this team should access.
  6. Click Save.

From the MCP server

  1. Go to MCP Registry.
  2. Click the MCP server.
  3. Go to SettingsAccess Control.
  4. Select the teams that should have access.
  5. Click Save.

Both methods do the same thing — pick whichever feels more natural for what you're doing.

Assigning Agent Personas

When creating a persona

In the Create Agent Persona wizard (Step 1: Basic Information), there's a Teams dropdown. Select the teams that should have access. If you leave it empty, the persona is available to everyone.

From the team

  1. Go to AccessTeams.
  2. Click the team name.
  3. Go to the Agent Personas tab.
  4. Click Assign Personas.
  5. Select the personas this team should access.
  6. Click Save.
tip

When a persona is assigned to multiple teams, only MCP servers that all those teams can access are available for tool selection. This prevents a persona from exposing tools that one of its teams shouldn't see. Public MCP servers (no team assignment) are always available.

Managing Teams

Editing a team

  1. Go to AccessTeams.
  2. Click the team name.
  3. Click Edit (pencil icon).
  4. Change the name, description, or SSO group mappings.
  5. Click Save.

Viewing members

Team membership is dynamic — it's determined at login time based on IdP groups. To see who's in a team:

  1. Go to AccessTeams.
  2. Click the team name.
  3. The SSO Mappings tab shows which SSO groups are linked to this team.

When a user's IdP group membership changes (e.g., someone joins the Engineering group in Entra ID), their AI Gateway team membership updates automatically on their next login.

Deleting a team

  1. Go to AccessTeams.
  2. Click the team name.
  3. Click Delete and confirm.

When a team is deleted:

  • Members lose access to resources that were restricted to that team.
  • MCP servers that were only assigned to the deleted team become public again (visible to everyone).
  • The team is removed from any Agent Personas it was assigned to.

Real-World Examples

Example 1: "Only engineers should access our DevOps tools"

SettingValue
Team NameEngineering
SSO Groupsengineering@company.com
Assigned MCP ServersGitLab, Jira, PagerDuty, Datadog
Assigned PersonasDevOps Assistant

Engineers log in, the gateway sees they're in the engineering@company.com group, and they automatically get access to the DevOps tools and the DevOps Assistant persona. Sales team members don't see any of these.

Example 2: "Sales and marketing need their own CRM tools"

SettingValue
Team NameRevenue
SSO Groupssales@company.com, marketing@company.com
Assigned MCP ServersSalesforce, HubSpot
Assigned PersonasCRM Assistant

Users in either the sales or marketing SSO group get access. One team, multiple SSO groups.

Example 3: "Security tools should only be available to the InfoSec team"

SettingValue
Team NameSecurity Ops
SSO Groupsinfosec@company.com
Assigned MCP ServersSnyk, Splunk, CrowdStrike
Assigned PersonasSecurity Analyst

Only InfoSec members see these tools. Even other engineering team members can't access them.

Example 4: "A cross-functional project team needs shared access"

SettingValue
Team NameProject Alpha
SSO Groupsproject-alpha@company.com
Assigned MCP ServersJira, Confluence, Slack
Assigned PersonasProject Alpha Agent

Create a temporary group in your IdP for the project, map it to a team, and assign the relevant resources. When the project ends, delete the team.

Setting Up Your Identity Provider

For teams to work, your identity provider needs to send group claims in the login token. Follow the guide for your provider:

ProviderGuide
Microsoft Entra ID (Azure AD)Configure Entra Group Claims →
Google WorkspaceConfigure Google Workspace Group Claims →
OktaComing soon

If your provider isn't listed, the general requirement is: configure your IdP to include a groups claim (or equivalent) in the SAML assertion or OIDC token. Your IT team can usually set this up in a few minutes.

Tips

  • Start with your org chart. Create teams that match your existing departments or project groups. You probably already have SSO groups for these.
  • Keep shared tools public. If everyone in the company needs access to an MCP server (like Slack or Confluence), don't assign it to any team — it stays accessible to all.
  • Use multiple SSO groups per team. You can map several IdP groups to one team. Useful when your org has fine-grained groups but you want broader access in the AI Gateway.
  • Membership is automatic. You don't need to manually add or remove users. When IT adds someone to the SSO group, they join the team on their next login.
  • Test with a non-admin account. Admins bypass all team restrictions, so team-based access won't be visible when you're logged in as an admin. Use a regular user account to verify restrictions work as expected.