Tighten the loans:export policy

Remove one role from the allow-list. Every user-delegated loans:export request from EU staff fails from the next call onward.

DocsPolicies ↗Authorization ↗RBAC ↗

Descope Console·Policies/loans:export

Edit rule

Define who can get which scopes from which targets.

Rule name *Who can export loan data

DescriptionWho may receive a loans:export token, and how.

Subjects

Select who this rule applies to.

Match by claims, roles, tenants or tags.

Key *
user.roles▾
Operator *
Contains▾
loan-manager
Key *
user.roles▾
Operator *
Contains▾
eu-staffus-staff
Removing

eu-staff is still on the export allow-list. Click Remove eu-staff to take it off — leaving user.roles Contains [us-staff].

Targets

Select the Resources (APIs, MCP Servers) or Connections this rule grants access to. For each, choose which scopes can be issued.

▤

Loan System MCP

loans:export · scope

Grant types

Choose which grant types this rule permits. This rule applies only to requests using the selected types.

Evaluated at token issuance · last updated Feb 12, 2026, 10:00 AM by priya@northwind.com

Worth noting · sibling policy

The policy editor isn't an emergency tool. Look at loans:approve — it has had a condition since the MCP server was first wired to Descope. The eu-staff removal you just made and the day-one loan-manager gate are the same kind of policy object, written the same way.

Policies / loans:approve

loans:approveALLOW

user.rolesContains["loan-manager"]

Day-one config · last updated Feb 12, 2026