Salesforce Read-Only Access
Restricts the Salesforce MCP server to read-only access.
- Direction
- ingress
- Rego package
salesforce.ingress.readonly- App
- salesforce
- Bundle
- crm
- Published
- Minimum gateway
- 1.0.0b24
- Schema version
- 1.0.0
- Checksum
sha256:e66f0db4e835bc2684182230aea05bed5200658e4db8b81f27ffaa8134e5e696
salesforceaccess-controlgovernanceread-onlyingress
What this policy does
Direction: ingress (tool_pre_invoke)
Default: deny on match, allow otherwise
Package: salesforce.ingress.readonly
What it does
Restricts the Salesforce MCP server to read-only access. Non-Salesforce tools
pass through untouched; among Salesforce tools, only the known read tools
(soqlquery, find, getobjectschema, getrelatedrecords, getuserinfo,
listrecentsobjectrecords) are allowed. Any other salesforce-* tool —
including current and future write tools like createsobjectrecord,
updatesobjectrecord, updaterelatedrecord — is denied.
Why an allowlist (fail-closed)
This is an allowlist, not a blocklist: writes are denied by default and only named read tools are permitted. New write tools added to the MCP server in the future therefore fail closed (denied) rather than slipping through until someone remembers to blocklist them.
Why ingress
Writes have permanent side effects. The read/write nature of a call is fully determined by which tool is invoked, so denying non-read tools at ingress guarantees no mutation reaches Salesforce.
How it matches
- Non-Salesforce tools pass through (
not startswith("salesforce-")). - Salesforce read tools in the allowlist are permitted.
- Everything else under the
salesforce-prefix is denied.
Scope / tool naming
This policy is scoped by the salesforce- server-name prefix and lists tools
by their full salesforce-* names, which assumes the Salesforce MCP server is
registered on the gateway as salesforce. If your gateway registers it under a
different name, adjust the prefix and the allowlist entries. Confirm exact tool
names with the dump-input debug technique before deploying.
Examples
Allowed (read tool)
{
"input": {
"action": "tool_pre_invoke",
"resource": { "name": "salesforce-soqlquery", "type": "tool" },
"payload": { "name": "salesforce-soqlquery", "args": { "q": "SELECT Id FROM Account" } }
}
}
allow = true, no reason.
Denied (write tool)
{
"input": {
"action": "tool_pre_invoke",
"resource": { "name": "salesforce-createsobjectrecord", "type": "tool" },
"payload": { "name": "salesforce-createsobjectrecord", "args": { "sobject-name": "Account", "body": { "Name": "Acme" } } }
}
}
allow = false, reason = "Salesforce write operations (create/modify) are blocked on this gateway. Only read-only Salesforce tools are permitted.".
Known limitations
- Allowlist maintenance. New read tools must be added to
salesforce_read_toolsor they will be denied. This is the intended trade-off for fail-closed behavior on writes. - Prefix-scoped. Scoping is
startswith("salesforce-")with full tool names. A server registered under a different prefix won't be governed until the checks are adjusted. - No identity-based exemptions. All callers are read-only. To allow a
break-glass writer, add an
allow ifbranch gated oninput.subject.claims.
Policy source (Rego)
package salesforce.ingress.readonly
default allow := false
# Salesforce read-only tools that are permitted
salesforce_read_tools := {
"salesforce-soqlquery",
"salesforce-find",
"salesforce-getobjectschema",
"salesforce-getrelatedrecords",
"salesforce-getuserinfo",
"salesforce-listrecentsobjectrecords",
}
# This policy only governs the Salesforce MCP server.
# Any non-Salesforce tool passes through untouched.
allow if {
not startswith(lower(input.resource.name), "salesforce-")
}
# Allow only the known Salesforce read-only tools.
allow if {
salesforce_read_tools[lower(input.resource.name)]
}
reason := "Salesforce write operations (create/modify) are blocked on this gateway. Only read-only Salesforce tools are permitted." if not allow Canonical source: policy.md on GitHub · raw · raw on this site (.md)
Used in these guides
Related policies
HubSpot Block Deal Closure
Blocks HubSpot CRM-object calls that move a deal into a closed stage (closedwon or closedlost). Both create and update requests are inspected.
HubSpot Protect Associations
Blocks HubSpot CRM-object calls that create or change associations between objects (deal↔company, contact↔company, etc.).
HubSpot Protect Deal Owner
Blocks HubSpot CRM-object update calls that set or change a deal's owner.
HubSpot Protect Lifecycle Stage
Blocks HubSpot CRM-object calls that set or change a contact's lifecycle stage.
HubSpot Read-Only
Makes the HubSpot connection read-only by blocking the write tool.