loading…
Search for a command to run...
loading…
An HR management server that provides access to employee directory information, sensitive PII, and salary data through a scope-based authorization system. It en
An HR management server that provides access to employee directory information, sensitive PII, and salary data through a scope-based authorization system. It enables users to view, search, and update employee records and organizational charts using tools mapped to specific permission levels.
An HR MCP Server built with FastMCP that exposes employee directory, profile, salary, and PII data through scope-based authorization.
| Scope | Description |
|---|---|
reader |
Access non-PII employee data (name, department, job title, office, etc.) |
writer |
Update employee records |
restricted |
Access PII / sensitive data (salary, address, tax info, bank details, etc.) |
| Tool | Required Scopes |
|---|---|
list_employees |
reader |
get_employee_profile |
reader |
search_employee_directory |
reader |
get_org_chart |
reader |
get_employee_pii |
restricted |
get_employee_salary |
restricted |
get_employee_full_record |
restricted |
get_department_salary_summary |
restricted |
update_employee_profile |
writer |
update_employee_salary |
writer + restricted |
update_employee_contact |
writer + restricted |
whoami |
(any authenticated user) |
pip install fastmcp
# STDIO mode (for MCP clients)
python server.py
# Or via FastMCP CLI
fastmcp run server.py
The server ships with 7 mock employees across departments (Engineering, Data Science, HR, Finance, Operations, Executive). All data is in-memory via hr_data.py.
az) installed and logged in.\build-and-push.ps1 -AcrName <your-acr-name>
This builds the image and pushes it as <your-acr-name>.azurecr.io/hr-mcp-server:latest.
az deployment group create `
--resource-group <your-rg> `
--template-file infra/container-app.bicep `
--parameters `
environmentId="/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.App/managedEnvironments/<env-name>" `
acrLoginServer="<your-acr-name>.azurecr.io" `
appInsightsConnectionString="<optional-connection-string>"
The Bicep template (infra/container-app.bicep) creates a Container App with:
After deployment, assign the AcrPull role to the Container App's managed identity:
# Get the principal ID from the deployment output
$principalId = (az containerapp show --name hr-mcp-server --resource-group <your-rg> --query identity.principalId -o tsv)
az role assignment create `
--assignee $principalId `
--role AcrPull `
--scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<your-acr-name>
After the role assignment propagates, restart to pull the image with the managed identity:
az containerapp revision restart --name hr-mcp-server --resource-group <your-rg>
Добавь это в claude_desktop_config.json и перезапусти Claude Desktop.
{
"mcpServers": {
"hr-mcp-server": {
"command": "npx",
"args": []
}
}
}