Creating and Managing Policies

This guide walks you through creating and managing security policies in Helmet to control MCP server access and tool usage.

Creating Your First Policy

Step 1: Access Policy Management

Navigate to the Policy section in the Helmet dashboard
Click the "Add Policy" button
The policy creation form will open

Step 2: Configure Basic Settings

Policy Name

Choose a descriptive name that reflects the policy's purpose:

Use clear, consistent naming conventions
Include the target or restriction type
Examples: "production-database-readonly", "dev-team-full-access"

Description

Provide a detailed description including:

Policy purpose and goals
What it restricts or allows
Who it affects
Why it was created

Scope

Select where this policy applies:

Global: All servers and users
Tenant: Specific organization or group
Server: Individual MCP servers
User: Specific users or roles

Priority

Set the evaluation order (1-1000):

Higher numbers = higher priority
Evaluated first in conflicts
Default: 100
Critical policies: 500+

Step 3: Enable the Policy

Toggle the Enabled switch to activate the policy immediately upon creation.

Adding Policy Rules

Understanding Rule Types

Tool Access Rules

Control which tools can be executed:

Allow: Explicitly permit tool usage
Deny: Block tool execution
Conditional: Apply based on context

Parameter Rules

Validate and restrict tool parameters:

Required parameters
Value constraints
Pattern matching
Type enforcement

Creating a Tool Access Rule

Click "Add Rule" in your policy
Select "Tool Policy Rule"
Configure the rule:

Tool Name Pattern

Specify which tools this rule affects:

Exact match: read_file
Wildcard: * (all tools)
Pattern: database_*
Multiple: Use separate rules

Action

Choose the rule behavior:

Allow: Permit the tool call
Deny: Block with error
Log: Allow but audit

Conditions (Optional)

Add contextual restrictions:

Time-based access
User attributes
Request patterns
Environment checks

Example Rules

Block Dangerous Tools

Tool Name: execute_command
Action: Deny
Reason: "System command execution not permitted"
Log Usage: Yes

Limit Database Access

Tool Name: query_database
Action: Allow
Rate Limit: 10 per minute
Parameter Constraint: {
  "database": ["production_readonly"]
}

Audit File Access

Tool Name: read_file
Action: Allow
Log Usage: Yes
Allowed Parameters: {
  "path": ["/shared/docs/*"]
}

Managing Policy Rules

Viewing Rules

Each policy displays:

Total rule count
Rule types breakdown
Last modification date
Effectiveness metrics

Editing Rules

To modify existing rules:

Click on the policy name
Select the rule to edit
Update parameters
Save changes

Rule Order

Within a policy:

Rules evaluated sequentially
First match wins
Deny rules typically first
Most specific before general

Deleting Rules

Remove rules carefully:

Review dependencies
Check for alternatives
Confirm deletion
Monitor impact

Advanced Policy Features

Parameter Constraints

Define complex parameter validation:

{
  "database": {
    "allowed": ["prod_read", "staging"],
    "pattern": "^[a-z_]+$"
  },
  "limit": {
    "min": 1,
    "max": 1000
  }
}

Troubleshooting

Policy Not Working

Check common issues:

Policy enabled?
Priority correct?
Rule syntax valid?
Scope matches?
No conflicts?

Unexpected Blocks

Debug blocked requests:

Check policy logs
Review rule order
Verify parameters
Test in simulation
Adjust as needed

Creating Your First Policy​

Step 1: Access Policy Management​

Step 2: Configure Basic Settings​

Policy Name​

Description​

Scope​

Priority​

Step 3: Enable the Policy​

Adding Policy Rules​

Understanding Rule Types​

Tool Access Rules​

Parameter Rules​

Creating a Tool Access Rule​

Tool Name Pattern​

Action​

Conditions (Optional)​

Example Rules​

Block Dangerous Tools​

Limit Database Access​

Audit File Access​

Managing Policy Rules​

Viewing Rules​

Editing Rules​

Rule Order​

Deleting Rules​

Advanced Policy Features​

Parameter Constraints​

Troubleshooting​

Policy Not Working​

Unexpected Blocks​