Hi Directus team,
I’m working on a multi-user application using Directus + MCP.
My setup:
-
Each user performs certain operations, and
-
Each operation result is stored as a record in a Directus collection.
-
Using Directus access policies, I can manually restrict access so that:
- A user can only retrieve their own records based on primary fields.
The problem (with MCP)
When enabling Directus MCP:
-
MCP resources seem to be globally accessible.
-
If an MCP client (LLM / agent) queries a collection:
- It can retrieve all records, including test runs / operations belonging to other users
-
This breaks user-level isolation in a multi-user environment
So my concern is:
How does Directus MCP enforce access policies per user context?