# Aserto MCP

> Aserto manages authorization rules by letting your AI client run policy queries against complex access control systems. You can check if a user has permission for an action, inspect deep decision logic, or audit who accessed what resource and when. It lets you treat fine-grained security policies as simple conversational checks.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** authorization, rego, policy-as-code, access-control, iam

## Description

Your agent connects directly to Aserto's rules engine, letting you manage and evaluate complex access control policies using natural conversation. Forget writing boilerplate API calls just to see if someone can read a document; your AI client handles the logic for you. You simply ask, 'Can User X do Y on Resource Z?' The system executes the full policy check instantly.

Need more depth? Run custom queries against the ruleset itself or view the complete decision path taken by the authorizer to understand exactly why a decision was made. It even helps manage policies deployed across different edge locations. This MCP provides comprehensive visibility into your security decisions, all hosted and managed through Vinkius. You get immediate answers on permissions, audit logs, and policy structure without ever touching an API key or writing Rego code.

## Tools

### authz_decisiontree
Retrieves a detailed map of values across all policy modules, showing the complete decision logic path.

### authz_is
Checks whether a specific user identity has permission to perform an action based on current policies.

### authz_query
Allows you to execute custom Rego queries against the main policy authorizer for deep data inspection.

### control_plane_exec
Sends commands directly to a connected Edge Authorizer, useful for syncing policies or directories.

### get_decision_log
Gets a signed download URL so you can retrieve an archived decision log object safely.

### list_decision_logs
Lists all available storage objects containing past decisions and audit logs for inspection.

### query_decision_logs
Retrieves the last N authorization decisions from the decision log storage objects.

## Prompt Examples

**Prompt:** 
```
Check if user 'alice@example.com' is authorized to 'read' the 'document_123' resource using the 'peoplefinder' policy.
```

**Response:** 
```
I've evaluated the policy via `authz_is`. The decision for 'read' is **true**. Alice has the required permissions based on the provided resource context.
```

**Prompt:** 
```
Run a Rego query to list all roles defined in 'data.system.roles'.
```

**Response:** 
```
Executing `authz_query`... The query returned the following roles: ['admin', 'editor', 'viewer'].
```

**Prompt:** 
```
List the available decision logs for my current policies.
```

**Response:** 
```
I've retrieved the decision logs using `list_decision_logs`. I found 3 storage objects available for the 'production-policy' ID. Would you like to inspect a specific log?
```

## Capabilities

### Check User Permissions
Determine if a specific user is authorized to perform any action based on established security policies.

### Execute Custom Policy Queries
Run custom, deep queries against the underlying policy logic to inspect system data or test complex rulesets.

### Inspect Decision Logic Paths
Retrieve a full map of the decision tree values to see exactly how the policies processed a request.

### Manage Edge Authorizers
Send direct commands to connected edge authorizers, ensuring policy instances sync correctly across your infrastructure.

### Audit Decision History
List and retrieve decision logs, maintaining a clear record of every authorization event that occurred in the system.

## Use Cases

### Verifying new feature access for a client
A security engineer needs to confirm if a premium user can view certain financial reports. They prompt their agent: 'Check if user X is authorized to read the Quarterly Report.' The system runs authz_is and confirms the decision, saving hours of manual testing against the API.

### Investigating a data leak incident
A compliance officer needs to prove that only authorized staff viewed sensitive documents. They use list_decision_logs to find all available logs and then query_decision_logs to pull every decision made for the affected resource ID.

### Debugging a complex role hierarchy
A backend developer finds that 'editor' roles sometimes get unexpected read access. They use authz_query to run a specific Rego query against data.system.roles, exposing the exact policy rule causing the unintended permission.

### Updating policies across global regions
The infrastructure team updates core rules and needs to ensure all regional endpoints are using them. They use control_plane_exec to send a sync command, guaranteeing consistency across every deployed edge authorizer.

## Benefits

- You skip manual API calls entirely. Instead of writing code to check permissions, you simply ask your agent, 'Is this user authorized?' and get an immediate true/false answer via authz_is.
- Audit trails are instant. Need to prove who accessed what last month? Use list_decision_logs to find the correct log object, then use query_decision_logs to pull the specific records you need for compliance checks.
- Debugging complex policies gets easier. When a decision seems wrong, don't guess why. Use authz_decisiontree to map out the exact logic path the system took and pinpoint the flaw.
- Manage distributed security with confidence. If you have multiple policy endpoints, use control_plane_exec to send commands that ensure all your edge authorizers are perfectly synced with the central ruleset.
- Deep dive into policies without risk. Instead of relying on preset checks, run custom queries using authz_query. This lets you inspect underlying data or test logic not covered by standard tools.

## How It Works

The bottom line is: you ask a question about access control in plain language, and this MCP executes the complex security checks instantly.

1. First, connect your AI client to this MCP by supplying your Aserto Tenant ID, API URL, and required API keys.
2. Next, you ask a question about access control—for example, 'Can the admin read document 45?'—and your agent invokes the appropriate policy tool.
3. Finally, the system returns an immediate, actionable decision (true/false) along with detailed logs or query results.

## Frequently Asked Questions

**How do I check if a user is authorized using Aserto MCP?**
You use the authz_is tool. Simply ask your agent who needs permission and what resource they want to access, and it will return a definitive true or false decision based on your policies.

**Can I run custom queries with Aserto MCP?**
Yes, you use the authz_query tool. This allows you to execute specific Rego queries against the underlying policy data for advanced inspection beyond standard checks.

**How does Aserto MCP help with compliance auditing?**
You maintain a clear record by using list_decision_logs and query_decision_logs. This gives you an instant, verifiable audit trail of every access event for regulatory reporting.

**What if I need to update policies on multiple systems?**
Use the control_plane_exec tool. It sends commands directly to your connected Edge Authorizers, ensuring that policy changes sync consistently across all your deployed locations.