-
Notifications
You must be signed in to change notification settings - Fork 16
mcp_manage_role
PhuocLe edited this page Jun 20, 2026
·
3 revisions
| Field | Value |
|---|---|
| Tool name | manage_role |
| MCP title | Manage security roles |
| Category | standard |
| Implementation | DynamicsCrm.DevKit.Cli/Mcp/Tools/ManageRoleTool.cs |
| Estimated token count | ~497 tokens (tools/list tool JSON, o200k_base, measured 2026-06-18) |
| Last verified | 2026-06-18 |
Security roles — list/detail/user/assign/unassign/create/update/delete/copy.
- list: optional role_name, business_unit_id, max_records
- detail: role_id OR role_name (+optional entity_name) → privileges grouped by entity. Resolves role name first (fuzzy), then GUID fallback.
- user: user_id (+optional entity_name) → user's roles + effective privileges
- assign / unassign: role_id + user_id
- create: role_name (+optional business_unit_id)
- update: role_id + role_name (rename)
- delete: role_id (irreversible; managed roles can't delete — use copy)
- copy: role_id + role_name (clone with all privileges)
Depth: User < BU < Parent:ChildBU < Org. Only root roles listed (not BU-inherited copies). Fuzzy on role_name: 0/multi → tool returns disambiguation list and stops; AI must ask user. 1 → auto.
WHEN TO USE:
- Debug 'access denied' (action='user' + entity_name)
- Audit role privileges (action='detail')
- Provision access (assign/unassign or create/copy)
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
action |
string |
Yes | - |
list, detail, user, assign, unassign, create, update, delete, copy. |
user_id |
string |
No | "" |
Email or GUID. Required: user/assign/unassign. |
role_id |
string |
No | "" |
Role GUID. For detail only, this may also be a role name; if empty, role_name is used. Required: detail/assign/unassign/update/delete/copy. |
role_name |
string |
No | "" |
list: filter (contains). detail: role display name when role_id is empty. create/update/copy: new name. |
business_unit_id |
string |
No | "" |
BU GUID. list: filter. create: target BU (empty = root). |
entity_name |
string |
No | "" |
detail/user: filter privileges by entity Display Name or logical name. |
max_records |
integer |
No | 50 |
list only. Max 250. |
{
"type": "object",
"properties": {
"action": {
"type": "string",
"description": "list, detail, user, assign, unassign, create, update, delete, copy."
},
"user_id": {
"type": "string",
"description": "Email or GUID. Required: user/assign/unassign.",
"default": ""
},
"role_id": {
"type": "string",
"description": "Role GUID. For detail only, this may also be a role name; if empty, role_name is used. Required: detail/assign/unassign/update/delete/copy.",
"default": ""
},
"role_name": {
"type": "string",
"description": "list: filter (contains). detail: role display name when role_id is empty. create/update/copy: new name.",
"default": ""
},
"business_unit_id": {
"type": "string",
"description": "BU GUID. list: filter. create: target BU (empty = root).",
"default": ""
},
"entity_name": {
"type": "string",
"description": "detail/user: filter privileges by entity Display Name or logical name.",
"default": ""
},
"max_records": {
"type": "integer",
"description": "list only. Max 250.",
"default": 50
}
},
"required": [
"action"
]
}This tool does not require any MCP resources.
- Debug 'access denied' (action='user' + entity_name)
- Audit role privileges (action='detail')
- Provision access (assign/unassign or create/copy)
- Use the exact MCP description and parameter schema above as the authoritative contract.
{
"action": "string"
}Returns CallToolResult from the MCP server. The response content and structured fields follow the tool implementation and model returned by ManageRoleTool.manage_role.
- "Show effective privileges for this user on the Account table."
- "Copy this security role to a new role name and preserve all privileges."
- "Assign this role to the user by email and confirm the assignment."