- You know the exact JSON field paths that contain sensitive data
- You want to guarantee a field is always removed regardless of its content
- You need an allow-only posture — strip every field except the ones explicitly approved for a given audience
- The tool returns structured data (Salesforce records, database rows, API responses) where field names are stable
View your field control rules
Navigate to Data Control Center → Field Controls. The rules table lists every active rule with:- Rule name
- MCP Server and Tool — the specific tool the rule targets
- Direction — Input (what the agent sends) or Output (what the tool returns)
- Mode — Redact listed fields, or Allow only listed fields
- Audience — groups or roles scoped (blank = everyone)
- Status — enabled or disabled
Create a rule
Before creating a rule, use the Sample a call panel to see the real response shape from the tool. This tells you the exact field paths to configure.Step 1 — Sample the tool (recommended)
- In the Field Controls tab, click New rule to open the rule dialog.
- Select the MCP Server and tool you want to control.
-
In the Sample a call section, click the expander. This runs a live call through the proxy admin endpoint and returns the structured response.

- The response fields appear in the field picker. Select the paths you want to redact or allow.
Step 2 — Configure the rule
Complete the remaining fields:- Rule name — a descriptive name (e.g., “Strip revenue fields from Salesforce Account for support group”).
-
Direction:
- Output — controls what the tool returns to the agent (most common)
- Input — controls what the agent sends to the tool
-
Mode:
Choose Redact listed when you have a small number of known sensitive fields and want everything else to flow. Choose Allow only listed when you need strict control and only a defined subset of fields should ever reach the agent.
Mode Behaviour Redact listed The fields you name are removed; everything else passes through, including new fields the tool adds later Allow only listed Only the fields you name pass through; everything else is removed, including new fields the tool adds later -
Fields — select paths from the field picker (populated by the sample call), or type dotted paths directly (e.g.,
records[*].AnnualRevenue,records[*].BillingAddress). - Principals (optional) — add groups or roles to scope the rule. Without principals, the rule applies to everyone.
- Enabled — leave toggled on to activate immediately, or toggle off to save the rule in a disabled state.
- Click Save rule.
Edit a rule
- Find the rule in the Field Controls table.
- Click ⋮ → Edit.
- Update the name, mode, field list, or principals.
- Save. The rule takes effect immediately on the next matching tool call.
Delete a rule
- Click ⋮ → Delete on the rule row.
- Confirm. The rule stops applying immediately.
Enable and disable rules
Toggle a rule on or off without deleting it. Use this to temporarily suspend a rule during debugging or a maintenance window while preserving its configuration.Test a field control rule
Using the Sample a call panel
The sample panel within the rule editor is the primary testing tool. Before saving a rule, run a sample call and verify:- The fields you expect to be present are in the response
- Your selected field paths match the actual paths in the response (nested paths use dot notation:
records[0].Name)
Using the Policy Test Workbench
- Navigate to Data Control Center → Test.
- Select the MCP server and tool.
- Paste a representative tool response payload.
- Review the processed output to confirm the fields are redacted or allowed as expected.
Verifying in the Audit Center
Field control events appear in the Audit Center alongside detection policy events. Filter by Event type → Data Protection and look forfield_control action type rows. Each row shows:
- The tool and MCP server
- The direction (Input / Output)
- The fields that were redacted
- The rule and principal context that matched
Common patterns
Always strip revenue data from Salesforce Account records for the support team:- Server: Revenue ops Salesforce
- Tool:
queryAccount - Direction: Output
- Mode: Redact listed
- Fields:
records[*].AnnualRevenue,records[*].BillingAddress,records[*].Contract__c - Principals: Group
customer-support
- Server: Finance reconciliation
- Tool:
getVendorPayment - Direction: Output
- Mode: Allow only listed
- Fields:
vendor_name,payment_date,invoice_id,status - Principals: (none — applies to everyone)
- Server: Internal API
- Tool:
createTicket - Direction: Input
- Mode: Redact listed
- Fields:
_internal_user_id,_session_token,_trace_id - Principals: (none)