This tutorial uses Manage teams and Invite users (to create teams and invite users) and Basic gateway management (to build and provision a gateway). If those pages or buttons aren’t visible, your role lacks the capability — access depends on the capability, not on a role name. See the capabilities reference.
What you’ll need
- An MCP Manager workspace with at least one MCP server already added. If you don’t have one, do Your first governed tool call first — you can reuse the docs server from it.
- A colleague’s email address to invite (or a second address of your own).
- About 15 minutes.
Step 1: Create a team
A team grants access: put a gateway in front of a team, and everyone on that team can reach it.1
Open the Teams tab
Go to People and open the Teams tab.
2
Create it
Click Create. In the Add a team dialog, set Team name to
Engineering, then click Save this team.Step 2: Build a gateway for the team
1
Create the gateway
Go to Gateways, click Add, and in Add a gateway set Gateway name to
Engineering.2
Provision it to the team
Under Provision access to teams, select Engineering, then click Save this gateway. Only members of a team you provision here will see this gateway when they connect.
Step 3: Assign a server and choose its identity scheme
Open the Engineering gateway, go to its Servers tab, and click Assign a server (the docs server from the quickstart works, or any server you’ve connected). When you assign it, you choose its Identity Scheme — how users authenticate to the upstream service. Choose Each user uses their own identity for anything that writes data or where an audit must name the individual; choose One identity is shared by everyone for read-only or low-risk servers. You can mix schemes across servers in the same gateway. For the full picture, see Identity Controls.Step 4: Review capabilities and pin the tools you want
With Each user uses their own identity selected, pick an identity below it to preview. MCP Manager shows the capabilities that came in from the server for that identity, split into the three things an MCP server provides a client: tools, resources, and prompts. Each of those sections defaults to Allow all and shows the Available tools tab — every capability discovered from the server for that identity. To narrow it, switch the section to Allow if conditions are met:1
Find the tools to allow
On the Available tools tab, search by name and select the tools you want — one at a time, or check several to bulk-select.
2
Add them as conditions
Add a tool on its own, or with several checked, click Add N conditions. Each condition asks what to match on: the tool’s name, its description, or both.
3
Confirm what's exposed
The Provisioned tools tab shows the tools that will be available to users connected to this gateway, and the Conditions tab lists the conditions you added.
Choosing what a condition matches on is metadata pinning. Pin only the name, and a tool keeps flowing through even if its description changes upstream. Pin the description (or both), and any upstream change stops the tool until you review it. That guards against a server silently altering a tool — a rug pull — and it keeps agents’ skill files, which reference tools by name, from drifting out of sync with what the gateway actually exposes.
The gateway is the atomic unit of tool governance. If a second team needs a different slice of the same server, give them their own gateway with its own conditions rather than scoping tools per person within one gateway — the same server can sit in as many gateways as you like.
Step 5: Invite a teammate
1
Open the invite dialog
Go to People, open the Users tab, and click Add new users.
2
Enter their details
In Email address(es), enter one or more comma-separated addresses. Choose a Role (it applies to everyone in this batch), and under Assign to teams select Engineering. Click Send via email. Each person gets an invitation immediately.
Everyone in a single invitation gets the same role. To assign different roles, send separate invitations. If your organization syncs from an identity provider, team membership can instead flow in automatically through SCIM.
Step 6: Confirm the scoping
Have your teammate accept the invitation, then connect their client using the Engineering gateway’s URL — copied from its overview page, including itsgateway parameter (see Connect your AI client to a gateway). They land directly in Engineering and reach only the gateways their teams grant. The tools available to them are exactly the ones you allowed in Step 4.
You built the full chain: a team grants access to a gateway, the gateway exposes a deliberately pinned set of a server’s tools under a chosen identity scheme, and a teammate you invited lands in exactly that gateway with exactly those tools. Change the team, the conditions, or the membership at any time and it takes effect on the next connection — no URLs to reissue.
Further reading
Add your first gateway rule
Put a guardrail on the gateway you just built.
Identity Controls
Personal versus shared identity in depth, and how credentials are brokered.
Feature Governance
The full reference for allowing tools, resources, and prompts per server.
Teams
How team membership resolves access across one or many teams.

