How Enginy scopes work Alpha
Think of scopes as permission groups. They let an admin decide what an AI assistant is allowed to read or change in Enginy without reviewing every individual API route.
There are four important rules:
- The workspace policy is the maximum permission limit.
- A client can ask for all of that limit or only part of it.
- Write permissions also include the matching read permissions.
ALLgrants the full MCP surface.
Permission groups Alpha
| Scope group | What it allows | Example endpoint families |
|---|---|---|
WORKSPACE_READ | Workspace metadata such as credits, saved views, filters, and validation helpers | credits, validation, saved views |
IDENTITIES_READ | Sender identities and identity performance | identities, sender performance |
OWNERS_READ | CRM owner lookup for routing and task assignment | owner lookup |
CAMPAIGNS_READ | Read campaigns and folders | campaigns, campaign folders |
CAMPAIGNS_WRITE | Create and mutate campaigns | campaign create, clone, status, membership changes |
CONTACTS_READ | Read contacts, search results, and contact fields | contacts, contact fields |
CONTACTS_WRITE | Create and update contacts | contact create and update |
COMPANIES_READ | Read companies, search results, and company fields | companies, company fields |
COMPANIES_WRITE | Create and update companies | company create and update |
LISTS_READ | Read lists and list folders | lists, folders |
LISTS_WRITE | Create lists/folders and move members | list create, add, move |
AI_VARIABLES_READ | Read AI variables and AI variable folders | AI variables, AI variable folders |
AI_VARIABLES_WRITE | Create, update, and delete AI variables and folders | AI variable mutations |
ANALYTICS_READ | Read analytics exports and campaign analytics | analytics exports, campaign analytics |
ACTIONS_READ | Read action-run state | actions status |
ACTIONS_WRITE | Start actions and AI Finder imports | actions create, AI Finder import |
MESSAGING_READ | Read inbox threads, tags, and conversation messages | inboxes, messages |
MESSAGING_WRITE | Send replies and mutate thread state | replies, tags, archive state |
WEBHOOKS_READ | Read webhook subscriptions and logs | webhooks, webhook logs |
WEBHOOKS_WRITE | Create, update, delete, and test webhooks | webhook mutations |
Write scopes imply read scopes Alpha
Enginy automatically expands write scopes to include the matching read scope:
| If you grant | Enginy also grants |
|---|---|
CAMPAIGNS_WRITE | CAMPAIGNS_READ |
CONTACTS_WRITE | CONTACTS_READ |
COMPANIES_WRITE | COMPANIES_READ |
LISTS_WRITE | LISTS_READ |
AI_VARIABLES_WRITE | AI_VARIABLES_READ |
ACTIONS_WRITE | ACTIONS_READ |
MESSAGING_WRITE | MESSAGING_READ |
WEBHOOKS_WRITE | WEBHOOKS_READ |
How workspace policy and user approval fit together Alpha
An admin sets the workspace limit
The active MCP policy on the workspace defines the maximum permissions that may be granted.
The AI interface asks for permissions
A client can request an explicit subset, or omit scopes entirely and let Enginy grant the whole policy
limit.
The user reviews what will be granted
The approval screen shows the permissions that will actually be granted after policy checks.
Recommended starting policies Alpha
Read-only exploration
Start here for general assistant workflows where the AI should look things up and summarize, but not make changes:WORKSPACE_READIDENTITIES_READCONTACTS_READCOMPANIES_READLISTS_READ
Campaign operations
Add these only if the AI should be allowed to change campaign state:CAMPAIGNS_WRITEOWNERS_READ
Inbox or automation operations
Add these only for explicit automation or operator flows:MESSAGING_WRITEACTIONS_WRITEWEBHOOKS_WRITE