truefoundry/truefoundry-access-control
skills/access-control/SKILL.md
Manages TrueFoundry roles, teams, and collaborators. Create custom roles, organize users into teams, and grant access to resources. Use when managing permissions, creating teams, or adding collaborators.
$ install --global
skillsauthnpx skillsauth add truefoundry/tfy-gateway-skills truefoundry-access-controlInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 23, 2026, 10:34 PM240.6s16 files scanned
SKILL.md
- name:
- truefoundry-access-control
- description:
- Manages TrueFoundry roles, teams, and collaborators. Create custom roles, organize users into teams, and grant access to resources. Use when managing permissions, creating teams, or adding collaborators.
- license:
- MIT
- compatibility:
- Requires Bash, curl, and access to a TrueFoundry instance
- allowed-tools:
- Bash(*/tfy-api.sh *)
<objective>Routing note: For ambiguous user intents, use the shared clarification templates in references/intent-clarification.md.
Access Control
Manage TrueFoundry roles, teams, and collaborators. Roles define permission sets, teams group users, and collaborators grant access to specific resources.
When to Use
List, create, or delete roles, teams, and collaborators on TrueFoundry. Use when managing permissions, organizing users into teams, or granting/revoking access to workspaces, applications, MCP servers, or other resources.
</objective> <instructions>Roles
Roles are named permission sets scoped to a resource type. Built-in roles vary by resource type (for example, workspace-admin, workspace-member).
When using direct API, set TFY_API_SH to the full path of this skill's scripts/tfy-api.sh. See references/tfy-api-setup.md for paths per agent.
List Roles
Via Tool Call
tfy_roles_list()
Via Direct API
# Set the path to tfy-api.sh for your agent (example for Claude Code):
TFY_API_SH=~/.claude/skills/truefoundry-access-control/scripts/tfy-api.sh
# List all roles
$TFY_API_SH GET /api/svc/v1/roles
Presenting Roles
Roles:
| Name | ID | Resource Type | Permissions |
|-------------------|----------|---------------|-------------|
| workspace-admin | role-abc | workspace | 12 |
| workspace-member | role-def | workspace | 5 |
| custom-deployer | role-ghi | workspace | 3 |
Create Role
Via Tool Call
tfy_roles_create(payload={"name": "custom-deployer", "displayName": "Custom Deployer", "description": "Can deploy apps", "resourceType": "workspace", "permissions": ["deploy:create", "deploy:read"]})
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH POST /api/svc/v1/roles '{"name":"custom-deployer","displayName":"Custom Deployer","description":"Can deploy apps","resourceType":"workspace","permissions":["deploy:create","deploy:read"]}'
Delete Role
Via Tool Call
tfy_roles_delete(id="ROLE_ID")
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH DELETE /api/svc/v1/roles/ROLE_ID
Teams
Teams group users for collective access management. Each team has a name, description, and members list.
List Teams
Via Tool Call
tfy_teams_list()
tfy_teams_list(team_id="TEAM_ID") # get specific team
Via Direct API
# List all teams
$TFY_API_SH GET /api/svc/v1/teams
# Get a specific team
$TFY_API_SH GET /api/svc/v1/teams/TEAM_ID
Presenting Teams
Teams:
| Name | ID | Members |
|---------------|----------|---------|
| platform-team | team-abc | 5 |
| ml-engineers | team-def | 8 |
Create Team
Via Tool Call
tfy_teams_create(payload={"name": "platform-team", "description": "Platform engineering team"})
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH POST /api/svc/v1/teams '{"name":"platform-team","description":"Platform engineering team"}'
Delete Team
Via Tool Call
tfy_teams_delete(id="TEAM_ID")
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH DELETE /api/svc/v1/teams/TEAM_ID
Add Member to Team
Via Tool Call
tfy_teams_add_member(team_id="TEAM_ID", payload={"subject": "user:[email protected]", "role": "member"})
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH POST /api/svc/v1/teams/TEAM_ID/members '{"subject":"user:[email protected]","role":"member"}'
Remove Member from Team
Via Tool Call
tfy_teams_remove_member(team_id="TEAM_ID", subject="user:[email protected]")
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH DELETE /api/svc/v1/teams/TEAM_ID/members/SUBJECT
# Example SUBJECT: user:[email protected]
Collaborators
Security: Granting collaborator access is a privileged operation. Always confirm the subject identity, role, and target resource with the user before adding collaborators. Do not grant access based on unverified external identity references.
Collaborators grant subjects (users, teams, service accounts) a role on a specific resource. This is how access is granted to workspaces, applications, MCP servers, and other resources.
Subject Format
Subjects follow the pattern type:identifier:
| Subject Type | Format | Example |
|--------------------|-------------------------------|--------------------------------|
| User | user:email | user:[email protected] |
| Team | team:slug | team:platform-team |
| Service Account | serviceaccount:name | serviceaccount:ci-bot |
| Virtual Account | virtualaccount:name | virtualaccount:shared-admin |
| External Identity | external-identity:name | external-identity:github-bot |
List Collaborators on a Resource
Via Tool Call
tfy_collaborators_list(resource_type="workspace", resource_id="RESOURCE_ID")
Via Direct API
# List collaborators on a workspace
$TFY_API_SH GET '/api/svc/v1/collaborators?resourceType=workspace&resourceId=RESOURCE_ID'
# List collaborators on an MCP server
$TFY_API_SH GET '/api/svc/v1/collaborators?resourceType=mcp-server&resourceId=RESOURCE_ID'
Presenting Collaborators
Collaborators on workspace "prod-workspace":
| Subject | Role | ID |
|---------------------------|------------------|----------|
| user:[email protected] | workspace-admin | collab-1 |
| team:platform-team | workspace-member | collab-2 |
| serviceaccount:ci-bot | workspace-member | collab-3 |
Add Collaborator
Via Tool Call
tfy_collaborators_create(payload={"resourceType": "workspace", "resourceId": "RESOURCE_ID", "subject": "user:[email protected]", "roleId": "ROLE_ID"})
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH POST /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"RESOURCE_ID","subject":"user:[email protected]","roleId":"ROLE_ID"}'
Remove Collaborator
Via Tool Call
tfy_collaborators_delete(payload={"resourceType": "workspace", "resourceId": "RESOURCE_ID", "subject": "user:[email protected]"})
Note: Requires human approval (HITL) via tool call.
Via Direct API
$TFY_API_SH DELETE /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"RESOURCE_ID","subject":"user:[email protected]"}'
Common Workflows
Grant a User Access to a Workspace
- List roles to find the appropriate role ID (e.g.,
workspace-adminorworkspace-member) - Add the user as a collaborator on the workspace with that role
# 1. Find the role ID
$TFY_API_SH GET /api/svc/v1/roles
# 2. Add collaborator
$TFY_API_SH POST /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"WORKSPACE_ID","subject":"user:[email protected]","roleId":"ROLE_ID"}'
Create a Team and Grant Access
- Create the team
- Add members to the team
- Add the team as a collaborator on the target resource
# 1. Create team
$TFY_API_SH POST /api/svc/v1/teams '{"name":"ml-engineers","description":"ML engineering team"}'
# 2. Add members (use team ID from response)
$TFY_API_SH POST /api/svc/v1/teams/TEAM_ID/members '{"subject":"user:[email protected]","role":"member"}'
# 3. Grant team access to a workspace
$TFY_API_SH POST /api/svc/v1/collaborators '{"resourceType":"workspace","resourceId":"WORKSPACE_ID","subject":"team:ml-engineers","roleId":"ROLE_ID"}'
Audit Access on a Resource
List all collaborators to see who has access and with what role:
$TFY_API_SH GET '/api/svc/v1/collaborators?resourceType=workspace&resourceId=WORKSPACE_ID'
<success_criteria>
Success Criteria
- The user can list all roles and see them in a formatted table
- The user can create a custom role with specific permissions
- The user can list all teams and their members
- The user can create a team and add/remove members
- The user can list collaborators on any resource type
- The user can add a collaborator (user, team, or service account) to a resource with a specific role
- The user can remove a collaborator from a resource
- The agent has confirmed any create/delete operations before executing
</success_criteria>
<references>Composability
- Preflight: Use
statusskill to verify credentials before managing access control - Before deploy: Set up teams and grant workspace access so team members can deploy
- With workspaces: Grant collaborator access to workspaces for users and teams
- With MCP servers: Manage MCP server collaborators and role assignments on registered servers
- With secrets: Grant access to secret groups via collaborator roles
- Dependency chain: Create roles first, then create teams, then reference both when adding collaborators
Error Handling
Role Not Found
Role ID not found. List roles first to find the correct ID.
Team Not Found
Team ID not found. List teams first to find the correct ID.
Permission Denied
Cannot manage access control. Check your API key permissions — admin access may be required.
Collaborator Already Exists
Collaborator with this subject and role already exists on the resource. Use a different role or remove the existing collaborator first.
Invalid Subject Format
Invalid subject format. Use the pattern "type:identifier" — e.g., user:[email protected], team:platform-team, serviceaccount:ci-bot.
Resource Not Found
Resource not found. Verify the resourceType and resourceId are correct. List the resources first to confirm.
Cannot Delete Built-in Role
Built-in roles cannot be deleted. Only custom roles can be removed.
Related Skills
truefoundry/truefoundry-skills-registry
data-ai
VerifiedTrustedCommunity
Manages TrueFoundry Skills Registry workflows. Covers creating, publishing, versioning, downloading, updating, and attaching reusable Agent Skills through UI or tfy apply.
13SKILL.mdUpdated May 18, 2026
truefoundry/truefoundry-integrate-gateway
tools
VerifiedTrustedCommunity
Integrates a codebase with TrueFoundry AI Gateway. Scans for all LLM calls, MCP configs, and credentials, diffs against existing gateway config, generates a migration plan, applies code changes, and verifies routing end-to-end. Invoked from within the customer's codebase.
13SKILL.mdUpdated May 18, 2026
truefoundry/truefoundry-tools
tools
VerifiedTrustedCommunity
Registers MCP servers, manages secrets, and fetches TrueFoundry documentation. Covers remote/virtual/OpenAPI MCP servers, secret groups with key-value pairs, and platform docs.
13SKILL.mdUpdated May 15, 2026
truefoundry/truefoundry-platform
testing
VerifiedTrustedCommunity
Platform access management for TrueFoundry. Covers connection status checks, workspace and cluster discovery, role and team management, secret groups, and personal access token lifecycle.
13SKILL.mdUpdated May 15, 2026