Governance & RBAC

Role-based tool access, audit logging, tool classification, factory roles

Overview

The Governance system provides role-based access control (RBAC) for all MCP tool calls. Every tool invocation is classified by sensitivity, checked against the user's factory role, and logged in an immutable audit trail.

This ensures that operators on the shop floor can only access tools appropriate to their role, while planners and quality engineers get broader access to analytical and management tools.

Factory Roles

Six predefined roles map to common manufacturing organizational structures:

Operator

Shop floor access: machine status, BDE entry, basic OEE queries

Meister

Shift lead access: production overview, quality alerts, tool management

Planner

Planning access: orders, scheduling, capacity, material management

Quality Engineer

Quality access: defect analysis, SPC, audit data, CAPA management

Admin

System administration: user management, configuration, system health

Full Access

Unrestricted access to all tools (development and demo use)

Tool Categories

Tools are organized into functional categories that map to manufacturing domains:

ERP — Production orders, customers, deliveries, BOM
OEE — Machine performance, availability, quality metrics
QMS — Defect reports, inspections, audits, CAPA
TMS — Tool management, lifecycle, wear tracking
KG — Knowledge Graph queries, impact analysis, chart generation
UNS — Unified Namespace MQTT topics, live machine data
History — Time-series queries, trend analysis, anomaly detection
Maintenance — Work orders, preventive schedules, spare parts

Tool Classification

Every tool is automatically classified by the governance agent with a sensitivity level:

lowRead-only queries, status checks, dashboard data

mediumAnalytical tools, report generation, data export

highWrite operations, configuration changes, order modifications

criticalSystem administration, user management, destructive operations

Info

Tool classifications are auto-generated by the governance agent based on tool descriptions and parameters. Admins can override classifications in the Admin UI.

Audit Log

Every MCP tool call is logged with full context for compliance and debugging:

User — Authenticated user identity and assigned role
Timestamp — ISO 8601 timestamp of the tool invocation
Tool — Tool name, category, and sensitivity level
Parameters — Full input parameters (sensitive fields redacted)
Result — Success/failure status, execution time, error details
Decision — Whether access was granted or denied, and the matching rule

// Example audit log entry

{

user: '[email protected]',

role: 'Meister',

tool: 'factory_get_customer_orders',

category: 'ERP',

sensitivity: 'low',

decision: 'ALLOW',

duration_ms: 42,

timestamp: '2026-03-19T08:15:23Z'

}

Admin UI

The Governance Admin UI provides four tabs for managing access control:

Roles Tab

Create and edit factory roles. Assign tool categories and sensitivity thresholds to each role. Preview effective permissions.

Categories Tab

Manage tool categories. Group related tools, set default sensitivity levels, and configure category-level access rules.

Classifications Tab

Review and override auto-generated tool classifications. See which tools are assigned to which sensitivity level.

Audit Tab

Search and filter the audit log by user, role, tool, category, time range, and decision (allow/deny). Export to CSV.

Tip

The Admin UI is only accessible to users with the Admin or Full Access role. All admin actions are themselves audit-logged.

← OPC-UA Server Integration Troubleshooting & FAQ →