This article explains adding users, viewing access, removing access, and granting access to all MCP servers. When an MCP server uses Celigo as the identity provider, you control which users can connect from AI agents like Claude or Cursor. Sign into integrator.io to manage user access from:
-
AI studio → MCP Server → (server) → Access tab → Authentication → Users
-
My Account → Users → click the Actions overflow menu next to the user and select Manage user
-
You must have an admin role in the Celigo account.
-
The MCP server must use Celigo authentication. If using an external IdP, the system hides the Users section because you manage access at the IdP level.
MCP server user access depends on your role.
|
User type |
Access level |
Notes |
|---|---|---|
|
Admins |
Automatic access to all MCP servers |
Admins are not listed in the Users section of the Access tab. Once added under Users in the profile page, they automatically receive access to all MCP servers |
|
Non-admin users |
Must be explicitly added |
No MCP server access by default. An admin must grant access per-server or to all MCP servers. |
|
Users with all MCP servers access |
Access to all current and future MCP servers |
Follows the "Manage all" / "Monitor all" pattern used for integration access. |
Add users to an MCP serve
AI studio → MCP servers → Access tab → Users
Perform the following steps:
-
Locate the server and click to open.
-
In the Edit MCP server page, go to the Access tab → Authentication → Users → click + Invite user on the left side of the page.
-
Select one or more from the existing users from the account.
Note
The list shows account users who do not have access to this MCP server.
-
Select Add.
-
The selected users now appear in the users list and can connect to this MCP server from their MCP clients.
The Users list view in the Access tab → Users displays the following columns:
-
Name: Displays user name
-
Email: Displays user email ID
-
Actions: Provides an option to delete a user
Admins are always listed and marked with their admin role. You cannot remove them from the Users list and they have access to all MCP servers automatically.
-
Go to the Access tab → Authentications → Users section.
-
Locate the user in the Users list view. Click delete icon in the Actions column.
-
Click Delete to confirm.
When you remove a user, they lose access to this MCP server. If the user is currently connected, their access token remains valid for up to 1 hour. However, the refresh token does not issue a new access token.
You cannot remove admins from the users list. To revoke an admin's access, you must change their role to a non-admin role first.
You can also manage a user's MCP server access alongside their integration access from the user management screen.
-
Sign into integrator.io as an account owner or admin, click the avatar icon in the upper right corner of integrator.io, then click Users.
-
Locate the user and click the Actions overflow menu next to the user and select Manage user to modify permissions in your account or environments in your account.
-
Select any of the following from Roles & permissions section for the MCP servers field to be available.
-
Manage all
-
Monitor all
-
Customs
-
-
Scroll down to the MCP server section.
-
Select one of the following:
-
All MCP servers — Grants access to all current and future MCP servers. This follows the "Manage all" / "Monitor all" pattern for integration access.
-
Specific MCP servers — Select individual MCP servers from the list.
-
-
Select Save.
Changes you make on the Users screen is automatically updated in the MCP servers Access tab, and vice versa.
External IdP and user access: When you switch an MCP server's identity provider from Celigo to an external IdP, the Users section becomes hidden. The user access data is preserved but not enforced, as access is controlled by the external IdP. If you switch back to Celigo, the previously configured user access is restored.
Accounts with many MCP servers: For users who need broad access, granting "All MCP servers" access avoids the need to add them to each server individually.