Oracle Cloud Infrastructure Documentation

Database Session Identity and Role Propagation

When you run a Custom SQL Tool or a SQL Report through the Database Tools MCP Server, the server propagates the end-user identity into the database session. The identity attributes are stored in the database session context namespace CLIENTCONTEXT.

In SQL or PL/SQL, you can retrieve these values by using the SYS_CONTEXT function: 

SYS_CONTEXT('CLIENTCONTEXT', '<PARAMETER_NAME>')

You can use CLIENTCONTEXT values in SQL or PL/SQL to implement access controls based on application roles, apply row-level filtering, and return user-specific results. This also improves auditing by associating database activity with the originating IAM user.

The propagated identity attributes can also be captured using Oracle Database Unified Auditing and correlated with OCI Audit logs to provide complete traceability of MCP requests. For more information, see Auditing.

All the parameters in the following table are under the namespace: CLIENTCONTEXT

CLIENTCONTEXT
Parameter Description Examples Source
OAUTH_SUB_TYPE Subject Type user sub_type claim
OAUTH_SUB Subject first.last@example.com sub claim
OAUTH_USER_OCID User OCID ocid1.user.oc1..xxxx user_ocid claim
OAUTH_CLIENT_OCID Client OCID ocid1.domainapp.oc1.iad.xxxx client_ocid claim
OAUTH_CLIENT_NAME Client Name Cline client_name claim
OAUTH_CA_OCID Cloud Account OCID ocid1.tenancy.oc1..xxxx ca_ocid claim
OAUTH_CA_NAME Cloud Account Name oraclefreedb ca_name claim
OAUTH_DOMAIN_ID Domain Id ocid1.domain.oc1..xxxx domain_id claim
OAUTH_DOMAIN_NAME Domain Name dbtools-mcp domain claim
IAM_DOMAIN_APP_ROLES Application roles assigned MCP_User, MCP_Operator Application Roles assigned to subject
RESOURCE_OCID Database Tools MCP Server OCID ocid1.databasetoolsmcpserver.oc1.phx.xxxx Database Tools MCP Server OCID
RESOURCE_COMPARTMENT_OCID Compartment OCID of the Database Tools MCP Server ocid1.compartment.oc1..xxxx Database Tools MCP Server Compartment OCID