DTwo Policy Store

Salesforce Read-Only Access

Restricts the Salesforce MCP server to read-only access.

Direction
ingress
Rego package
salesforce.ingress.readonly
App
salesforce
Bundle
crm
Published
Minimum gateway
1.0.0b24
Schema version
1.0.0
Checksum
sha256:e66f0db4e835bc2684182230aea05bed5200658e4db8b81f27ffaa8134e5e696

salesforceaccess-controlgovernanceread-onlyingress

What this policy does

Direction: ingress (tool_pre_invoke) Default: deny on match, allow otherwise Package: salesforce.ingress.readonly

What it does

Restricts the Salesforce MCP server to read-only access. Non-Salesforce tools pass through untouched; among Salesforce tools, only the known read tools (soqlquery, find, getobjectschema, getrelatedrecords, getuserinfo, listrecentsobjectrecords) are allowed. Any other salesforce-* tool — including current and future write tools like createsobjectrecord, updatesobjectrecord, updaterelatedrecord — is denied.

Why an allowlist (fail-closed)

This is an allowlist, not a blocklist: writes are denied by default and only named read tools are permitted. New write tools added to the MCP server in the future therefore fail closed (denied) rather than slipping through until someone remembers to blocklist them.

Why ingress

Writes have permanent side effects. The read/write nature of a call is fully determined by which tool is invoked, so denying non-read tools at ingress guarantees no mutation reaches Salesforce.

How it matches

  • Non-Salesforce tools pass through (not startswith("salesforce-")).
  • Salesforce read tools in the allowlist are permitted.
  • Everything else under the salesforce- prefix is denied.

Scope / tool naming

This policy is scoped by the salesforce- server-name prefix and lists tools by their full salesforce-* names, which assumes the Salesforce MCP server is registered on the gateway as salesforce. If your gateway registers it under a different name, adjust the prefix and the allowlist entries. Confirm exact tool names with the dump-input debug technique before deploying.

Examples

Allowed (read tool)

{
  "input": {
    "action": "tool_pre_invoke",
    "resource": { "name": "salesforce-soqlquery", "type": "tool" },
    "payload": { "name": "salesforce-soqlquery", "args": { "q": "SELECT Id FROM Account" } }
  }
}

allow = true, no reason.

Denied (write tool)

{
  "input": {
    "action": "tool_pre_invoke",
    "resource": { "name": "salesforce-createsobjectrecord", "type": "tool" },
    "payload": { "name": "salesforce-createsobjectrecord", "args": { "sobject-name": "Account", "body": { "Name": "Acme" } } }
  }
}

allow = false, reason = "Salesforce write operations (create/modify) are blocked on this gateway. Only read-only Salesforce tools are permitted.".

Known limitations

  • Allowlist maintenance. New read tools must be added to salesforce_read_tools or they will be denied. This is the intended trade-off for fail-closed behavior on writes.
  • Prefix-scoped. Scoping is startswith("salesforce-") with full tool names. A server registered under a different prefix won't be governed until the checks are adjusted.
  • No identity-based exemptions. All callers are read-only. To allow a break-glass writer, add an allow if branch gated on input.subject.claims.

Policy source (Rego)

package salesforce.ingress.readonly

default allow := false

# Salesforce read-only tools that are permitted
salesforce_read_tools := {
    "salesforce-soqlquery",
    "salesforce-find",
    "salesforce-getobjectschema",
    "salesforce-getrelatedrecords",
    "salesforce-getuserinfo",
    "salesforce-listrecentsobjectrecords",
}

# This policy only governs the Salesforce MCP server.
# Any non-Salesforce tool passes through untouched.
allow if {
    not startswith(lower(input.resource.name), "salesforce-")
}

# Allow only the known Salesforce read-only tools.
allow if {
    salesforce_read_tools[lower(input.resource.name)]
}

reason := "Salesforce write operations (create/modify) are blocked on this gateway. Only read-only Salesforce tools are permitted." if not allow

Canonical source: policy.md on GitHub · raw · raw on this site (.md)

Used in these guides