Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Connect AI assistants like Claude Desktop, Codex, Cursor, and VS Code to query your C1 data using the Model Context Protocol (MCP).
AI Connections are read-only. Connected AI assistants can view your C1 data but cannot create, modify, or delete any configuration.

Security considerations

AI Connections is designed with security as a priority:
  • Read-only access: AI assistants cannot modify any data or configuration.
  • User-scoped authorization: Each user authorizes their own connections.
  • IP restrictions: Optional IP allow listing for network-level control.
  • Audit logging: All AI queries are logged in the system log.
  • Revocable access: Connections can be revoked at any time.

Prerequisites

Before users can connect AI assistants, a C1 administrator must complete the following setup.

Turn on AI connections

A Super Admin must enable AI connections in your tenant settings:
1
Navigate to Settings > AI connections.
2
At the top of the AI connections page, click Edit and toggle Enable AI connections to on.
3
Click Save.
Once enabled, the MCP server URL is not shown on this settings page. Each user must navigate to their user profile menu and click AI & API > AI connections to find their MCP server URL.

Optional: Configure IP restrictions

For additional security, you can restrict which IP addresses can use AI connections:
1
Navigate to Settings in the left sidebar.
2
Under the Security sub-section, select SSO & sessions.
3
Scroll down to the Global IP allow list configuration.
4
Find the AI connections section.
5
Add allowed CIDR ranges.
6
Click Save.
If you configure IP restrictions, AI assistants will only work from the specified IP ranges. This is useful for restricting usage to corporate networks or VPNs.

Connect an AI assistant

Only users with Super Admin or Read-Only Admin roles can authorize AI connections.
1
Get the MCP server URLIn C1, navigate to your user profile menu and click AI & API > AI connections. Copy the MCP server URL displayed at the top of the page:
https://<your-tenant>-mcp.conductor.one/v1
2
Configure your AI assistantAdd the MCP server URL to your AI assistant’s configuration:
  1. Open Claude Desktop settings.
  2. Navigate to the MCP servers section.
  3. Add a new server with the C1 MCP URL.
  4. Save and restart Claude Desktop.
3
Authorize the connectionWhen your AI assistant first connects, you’ll be redirected to C1 to authorize the connection:
  1. Review the connection details.
  2. Optional. Customize the connection name.
  3. The connection is granted Read-Only Admin access.
  4. Click Allow to authorize.
4
Start queryingOnce authorized, your AI assistant can query C1 data. The connection appears in your user profile under AI & API > AI connections.

Available tools

Connected AI assistants have access to the following query tools:
ToolDescription
find_api_objectsQuery objects by identifiers, search text, or filters
count_api_objectsCount objects matching specific criteria
list_object_typesList all available object types
describe_object_filtersGet filterable fields for an object type
get_object_schemaGet the JSON schema for an object type

Queryable objects

AI assistants can query 20 different object types across your C1 tenant.

Identity and applications

ObjectDescription
UserIdentity accounts in your directory
AppApplications and directories connected to C1
ConnectorData sync connectors for applications
TaskAccess requests, reviews, and other tickets
PolicyApproval workflows and access policies

Application data model

ObjectDescription
AppUserApplication accounts linked to identities
AppResourceTypeCategories of resources within applications
AppResourceSpecific resources within applications
AppEntitlementPermissions and roles within applications
GrantEntitlement assignments to users

Access reviews

ObjectDescription
AccessReviewAccess review campaigns
AccessReviewTemplateTemplates for recurring reviews
AccessReviewSelectionIndividual items within a review

Access conflicts and separation of duties

ObjectDescription
ConflictMonitorSeparation of duties policies
AccessViolationDetected SoD violations

Supporting objects

ObjectDescription
RequestCatalogCollections of requestable entitlements in an Access Profile
WebhookEvent notification configurations
DirectoryAccount sync configurations
ProfileTypeAttribute mapping configurations
RoleBindingC1 role assignments

Example queries

Here are some examples of questions you can ask your AI assistant. Access analysis
  • “Who has access to Salesforce?”
  • “What apps does jane@company.com have access to?”
  • “Show me all users with admin access to AWS”
  • “List all entitlements for the Engineering group”
Access requests
  • “Show me all pending access requests”
  • “How many access requests were created this week?”
  • “Find all denied access requests for the Finance app”
  • “What requests are waiting for my approval?”
Access reviews
  • “List access review campaigns that are in progress”
  • “How many items are in the Q4 access review?”
  • “Show me completed access reviews from this month”
  • “Which access reviews are past their due date?”
Compliance
  • “Find all separation of duties violations”
  • “Which users have conflicting access?”
  • “Show me all active conflict monitors”
  • “List users who violate the Finance-Engineering SoD policy”

Managing connections

View connections

Navigate to your user profile menu and click AI & API > AI connections to see all AI connections you’ve authorized. Each connection shows:
  • AI assistant name and icon
  • Client ID
  • Connection date
  • Last used date

Revoke a connection

1
Navigate to your user profile menu and click AI & API > AI connections.
2
Find the connection you want to revoke.
3
Click Revoke.
4
Type the connection name to confirm.
5
Click Confirm.
Revoking a connection immediately prevents the AI assistant from accessing your C1 data. You can re-authorize the connection later if needed.

Admin management

Super Admins can navigate to Settings > AI connections to view and revoke all connections across the tenant.

System log events

All MCP activity is recorded in the C1 system log. You can use these event types to monitor and alert on AI connection activity:
EventActivity NameDescription
MCP Session Startmcp_session_startLogged when an AI assistant establishes a connection
MCP Session Endmcp_session_endLogged when an AI assistant disconnects (includes session statistics)
MCP Tool Callmcp_tool_callLogged for each tool invocation (query, count, and so on)

System log matching rules

Use these filters in Settings > System Log to monitor AI connection activity: All MCP activity: 
activity_name starts with "mcp_"
Session connections only: 
activity_name = "mcp_session_start"
Tool calls only: 
activity_name = "mcp_tool_call"
Failed tool calls: 
activity_name = "mcp_tool_call" AND outcome = "FAILURE"
Activity by specific user: 
activity_name starts with "mcp_" AND actor.user.email = "user@example.com"

Session event details

Each MCP session event includes:
FieldDescription
Session IDUnique identifier for the connection
UserThe C1 user who authorized the connection
Source IPIP address of the AI assistant
User AgentClient identifier (for example, Claude Desktop, Codex, or Cursor)
DurationSession length (in session end events)
Tool call countsSuccess/failure statistics (in session end events)

Tool call event details

Each tool call event includes:
FieldDescription
Tool nameWhich tool was invoked (for example, find_api_objects)
Object typeThe API object being queried (for example, User or App)
Result countNumber of objects returned
DurationQuery execution time
OutcomeSuccess or failure status

Frequently asked questions about AI connections

No. AI Connections are granted Read-Only Admin access. Connected AI assistants can view and query your data, but they cannot create, update, or delete any configuration, users, or access assignments.
Only users with Super Admin or Read-Only Admin roles can authorize AI connections for their own use at this time.
Any tool that supports the Model Context Protocol (MCP) can connect to C1, including:
  • Claude Desktop
  • Claude Code
  • Codex
  • Cursor
  • VS Code (with MCP extensions)
  • Other MCP-compatible AI assistants
Cursor currently gives the best experience because it handles large tool call results more gracefully than other clients. Queries that return many objects — Task queries in particular — can use a lot of context window. We’re working on improving this for all clients.
Administrators can configure IP allow lists in Settings > IP Allowlist > AI connections to restrict access to specific IP ranges. This is useful for limiting usage to corporate networks or VPNs.
Yes. AI connection activity is logged in your C1 system log. See System log events for details.
The AI assistant immediately loses access to your C1 data. Any ongoing queries will fail. You can re-authorize the same AI assistant later by going through the connection flow again.
When you query data through an AI assistant, the query results are sent to the AI provider (for example, Anthropic for Claude) to generate responses. Only the data specifically requested by your queries is transmitted. C1 does not send your data to any AI providers in the MCP flow — it is sent by clients under your control.