Skip to main content

How to configure role permissions

AI Copilot uses Magento's role-based access control (ACL) to determine which tools each admin user can access. You can also configure per-role restrictions for the Database Reader tool.

Tool permissions

  1. Navigate to System -> Permissions -> User Roles and click on a role.

  2. Open the Role Resources tab.

  3. Expand the MCP Tools section.

  4. Enable or disable individual tools:

    • MCP Tools
      • Built in
        • System
          • Store Info — access to store configuration data
          • GraphQL Query — execute GraphQL queries and mutations
          • Database Reader — execute read-only SQL queries
          • REST API — call Magento REST API endpoints

  5. Click Save Role.

note

Copilot can only use tools that are enabled for the logged-in admin user's role. If a tool is disabled in the role, Copilot will not be able to use it.

REST API endpoint permissions

The REST API tool requires two levels of permissions:

  1. The MCP Tools -> Built in -> System -> REST API resource must be enabled (gives access to the tool itself).
  2. Each REST API endpoint is protected by its own Magento ACL resource. For example, to allow Copilot to manage products via REST API, the role needs both the REST API tool permission and the Catalog -> Inventory -> Products resource.

Database Reader restrictions per role

In addition to ACL-based tool access, you can configure per-role restrictions for which database tables the Database Reader tool can access.

  1. Navigate to System -> Permissions -> User Roles and click on a role.

  2. Open the MCP Info tab.

  3. Configure the Database Reader Security section:

    • Access mode:

      • Use Global Settings: inherits the access mode from global configuration
      • Blacklist: tables matching the patterns are blocked for this role
      • Whitelist: only tables matching the patterns are accessible for this role

    • Table patterns: one pattern per line. Use * as a wildcard. These patterns are applied in addition to global settings.

  4. Click Save Role.

How global and role patterns combine

Both global and role-specific patterns are enforced. Role patterns add restrictions on top of global settings — they cannot grant access to tables blocked by global configuration.

Example:

  • Global setting: whitelist mode with sales_*, catalog_*
  • Role setting: whitelist mode with sales_order

Result: the user with this role can only access the sales_order table. Even though the global whitelist allows all sales_* and catalog_* tables, the role whitelist further restricts access to just sales_order.