Secure your MCP connection

2 minute read

Apply these security best practices when connecting an AI agent to CloudBees Unify through MCP. For background on how authentication and RBAC work, refer to Understanding the CloudBees Unify MCP Server.

Follow security best practices

These practices reduce exposure if an account or machine is compromised.

Use least-privilege accounts

Connect your AI agent with an account that has only the access it needs:

  • Developers typically need read access to components, workflows, and builds, plus permission to trigger workflows.

  • Platform engineers may require broader access for configuration and management tasks.

  • Security engineers may need read-only access to security findings and reports.

Avoid using highly privileged accounts for routine use.

Create a dedicated service account for your AI agent with appropriately scoped roles, rather than using a personal account with broad access.

Authenticate each machine separately

Authenticate each developer machine independently:

  • Don’t share authentication between machines or users.

  • If a machine is lost or compromised, reauthenticate your other machines to ensure they continue working.

Reauthenticate when prompted

Your authentication expires after a period of time. When prompted, reauthenticate to continue using MCP. If you suspect your authentication is compromised, reauthenticate immediately.

Monitor activity

All MCP activity is logged and attributed to your user account. Contact CloudBees Support for audit inquiries or security investigations.

Control access with roles

CloudBees Unify enforces role-based access control (RBAC) when you use MCP. All tools are visible to authenticated users, but your roles determine which resources you can access:

  • A user with only the Developer role cannot access user management resources.

  • A user with only read permissions cannot trigger workflows or modify feature flags.

  • A user not in a team cannot access that team’s components.

To restrict what an AI agent can do:

  1. Create or identify the user account for your AI agent to use.

  2. Assign only the necessary roles to that account.

  3. Test the connection to verify required operations work.

Security checklist

Use this checklist to verify your MCP connection follows security best practices:

AI agents authenticate with least-privilege user accounts.

Each machine has its own authentication. No shared credentials.

Administrator accounts are not used for day-to-day AI agent operations.

Corporate proxy settings are correctly configured if needed.

Team members have reviewed Understanding MCP privacy and data handling.

Respond to a security incident

If you suspect a security incident:

  1. Immediate action: Reauthenticate your AI client to obtain new credentials.

  2. Notify your security team: Follow your organization’s incident response procedures.

  3. Contact support: Contact CloudBees Support. CloudBees can review activity logs and assist with security concerns.