Oracle Cloud Infrastructure Documentation

Security

Outlines the key security features of MCP Server, including authentication, access controls, auditing, and compliance, to help you protect your Autonomous AI Database environment.

Topics

  • Secured Data Access
    Enables fine-grained, secured data access using Virtual Private Database (VPD) policies and Security.
  • Create and Register a VPD Policy
    Learn how to create and register Virtual Private Database (VPD) policies to safeguard your data and operations.
  • Access Control Lists (ACLs)
    Manage and restrict network access to your database resources using Access Control Lists (ACLs).
  • Private Endpoint Access
    If you configure network access using a Private Endpoint, the MCP Server endpoint is reachable only from the Virtual Cloud Network (VCN) specified during private endpoint configuration. Clients outside the allowed VCN cannot connect to the MCP Server.
  • Audit
    The MCP server provides auditing capabilities to help you monitor and track all access and operations. Audit logs capture detailed information for custom policies.

Parent topic: Autonomous AI Database MCP Server

Secured Data Access

Enables fine-grained, secured data access using Virtual Private Database (VPD) policies and Security.

With the Autonomous AI Database MCP Server, you can access all data and metadata that your database permissions allow. The MCP server works with Oracle security features such as Virtual Private Database (VPD) and Real Application Security (RAS), but does not enforce AI Profile-based controls or limit actions to "Select-only" access. You decide which tools to register and expose, so by selecting only a restrictive set of tools, you can control what operations the MCP server can perform on your data.

Note

Keep in mind that when you use MCP, data may leave the database. Always consider the security of your MCP client application to ensure sensitive information remains protected.

Note

You should ensure that your tool’s description clearly states that results from the tool are not intended as commands for the LLM to execute.

Ensure that the MCP database user has only the minimum required privileges to prevent sensitive data from leaving the database. Consider adopting a two-schema approach for enhanced security:
  • Custom tools should reside in the database user schema used to log in to the MCP server (for example, MCP_USER).
  • The PL/SQL functions utilized by these tools should be defined in a separate schema (for example, SALES_USER).
  • Grant appropriate access from SALES_USER to the MCP_USER schema.

Parent topic: Security

Create and Register a VPD Policy

Learn how to create and register Virtual Private Database (VPD) policies to safeguard your data and operations.

You can define Oracle Virtual Private Database (VPD) policies to provide fine-grained access control, ensuring that only specific rows of data are visible to each user.

This VPD policy example filters the HR.EMPLOYEE table so that users accessing it through MCP Server see only their own record, automatically and securely.

Example: Create a VPD policy on the database

This example shows how to return only the rows a signed-in user must see when an AI client calls MCP tools against Autonomous AI Database. 

CREATE OR REPLACE FUNCTION limit_sal (v_schema IN VARCHAR2, v_objname IN VARCHAR2)
  RETURN VARCHAR2 authid current_user AS
BEGIN
     RETURN 'employee_id = SYS_CONTEXT(''MCP_SERVER_ACCESS_CONTEXT'', ''USER_IDENTITY'')';
END;

When an MCP tool is accessed, the identity of the database user is available through sys_context('MCP_SERVER_ACCESS_CONTEXT', 'USER_IDENTITY'). You can create VPD policies that use these application context values to restrict which rows of data are visible to each application or database user. If there are existing VPD policies for a user, create another policy using MCP_SERVER_ACCESS_CONTEXT to restrict rows and use the VPD policies for the user when using the MCP Server.

Example: Register the VPD policy

This example attaches the filtering function to the HR.EMPLOYEE table. 

BEGIN
   DBMS_RLS.ADD_POLICY( 
        object_schema        => 'HR',
        object_name          => 'EMPLOYEE',
        policy_name          => 'POL',
        policy_function      => 'LIMIT_SAL');
END;
/

Parent topic: Security

Access Control Lists (ACLs)

Manage and restrict network access to your database resources using Access Control Lists (ACLs).

Access Control Lists (ACLs) provide a powerful way to manage and restrict network access to your database resources. By configuring ACLs, you can define which clients or networks are permitted to connect, enhancing your database security posture. See Network Access Control List (ACL) for more details.

If you configure ACLs, the MCP Server endpoint is accessible only from the IP addresses specified in those rules. Requests originating from addresses outside the defined ACL entries are denied. This restriction applies to all MCP Server connections and enforces network-level access control before authentication occurs. For information about configuring ACLs for Autonomous AI Database, see Configuring Network Access with Access Control Rules (ACLs).

Parent topic: Security

Private Endpoint Access

If you configure network access using a Private Endpoint, the MCP Server endpoint is reachable only from the Virtual Cloud Network (VCN) specified during private endpoint configuration. Clients outside the allowed VCN cannot connect to the MCP Server.

For databases configured with a Private Endpoint, the MCP Server URL uses the private hostname format:
https://{hostname_prefix}.adb.{region-identifier}.oraclecloudapps.com/adb/mcp/v1/databases/{database-ocid}

For more information about configuring network access using Private Endpoint, see Configure Private Endpoint Advanced Options.

  • hostname_prefix: is either the value you provided during private endpoint setup or the value generated automatically by the system.

    To obtain the hostname_prefix, navigate to the Autonomous AI Database details page in the OCI Console and locate the Private Endpoint URL in the Network section. For information about locating the Private Endpoint URL, see Private Endpoints Notes.

  • region-identifier: is the Oracle Cloud region where the database is deployed.

  • database-ocid: is the OCID of your Autonomous AI Database instance.

For example: If the Private Endpoint URL is:
testhostname01.adb.us-ashburn-1.oraclecloud.com

then testhostname01 is the hostname_prefix.

Parent topic: Security

Audit

The MCP server provides auditing capabilities to help you monitor and track all access and operations. Audit logs capture detailed information for custom policies.

MCP server records detailed information about each access and the specific tools used.

Note

Do not make security or auditing decisions based on SESSION_USER. Instead, use MCP_SERVER_ACCESS_CONTEXT$ to reliably reference the authenticated user.

Parent topic: Security