Effective access resolver
Open Authz -> Effective Access (/authz/effective-access) when the question is concrete:
Can this user, through this client and application, call this tool right now?
The resolver is for support and security operators. It does not show raw binding IDs as the main content; it shows a verdict, the failed condition, the access path, and the safest fix.
What you will see
- Verdict — allowed, denied, or needs review.
- Failed condition — for example
user_inactive,application_not_launched,tool_unmapped, ormissing_role_scope. - Access path — user status, application launch state, tool mapping, role grants, client scopes, and consent state.
- Remediation — add a role, map a tool, remove public access, revoke consent, or reactivate/suspend a user.
Common queries
- "Why did an MCP tool return 403?" Pick the user, application, and tool. If the tool is mapped but no assigned role grants its label, update the application role or assignment.
- "Who can use this tool?" Start from the Tools inspector, then export affected users or open the access assignment list.
- "What happens if I remove this grant?" Use the access-change preview before removing a binding or deleting an access label.
API reference
GET /authsec/v1/applications/:id/effective-access?user_id=...POST /authsec/v1/applications/:id/access-simulationsPOST /authsec/v1/applications/:id/access-change-previews