Permissions and roles
When you connect an AI client to Klarify, the client inherits your Klarify role. The MCP server only exposes the tools your role is allowed to call — lower-privileged users do not see administrative tools at all.
Tool visibility by role
| Tool group | Guest | Employee | Org Admin | Super Admin | Account Manager | Account Owner |
|---|---|---|---|---|---|---|
| Session | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Organization info | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Organization stats | — | ✅ | ✅ | ✅ | ✅ | ✅ |
| Organization settings | — | — | ✅ | ✅ | ✅ | ✅ |
| Organization billing | — | — | — | — | — | ✅ |
| Read tools (employees, departments, documents, etc.) | — | ✅ | ✅ | ✅ | ✅ | ✅ |
| Write tools (create / update / delete) | — | — | ✅ | ✅ | ✅ | ✅ |
How role enforcement works
Role checks happen on the MCP server, not in the AI client. Even if a tool name appears in an AI client’s tool list, the server rejects calls that exceed the user’s role.
For example, an Employee who asks the AI to “delete the Sales department” will get a refusal — the delete_department tool is not registered for that session.
Content-level access
In addition to role-based tool visibility, content-level permissions still apply. Folders themselves are visible to every active member, but individual documents (process models and global tasks) inside a folder can be restricted. For example, an Org Admin who has not been granted access to a specific document cannot read that document through the AI client, just as they cannot in the Klarify app.