tie-mcp-server
The tie-mcp-server provides a comprehensive MCP interface to the Tenable Identity Exposure (TIE) API, enabling management and monitoring of Active Directory security through 130+ tools.
Identity & Access Management
Manage AD objects, users, roles, profiles, and authentication (API keys, LDAP configuration, lockout policies)
Handle user creation defaults and role permissions
Infrastructure & Directory Management
Full CRUD for infrastructures and directories
View topology via the
get_topologyconvenience tool (infrastructure→directory hierarchy)
Attack & Deviance Monitoring
List, search, export, and update attacks and deviances
Manage attack types, checker options, categories, and reasons
Export checker data as CSV
Alert & Notification Management
View and bulk-update security alerts per profile
Full CRUD for email notifiers; send test notifications
Event Management
Retrieve and search events by directory or infrastructure
Get AD object changes and deviance changes between events
Configuration & Settings
Manage global application settings (SMTP, TLS, telemetry, user registration)
Configure LDAP integration, lockout policies, license, and dashboards (full CRUD)
Get and update user preferences; retrieve preferred profile via
get_preferred_profile
Reporting & Metrics
Export attack data, collect health metrics, and get cloud statistics
Get and refresh Tenable Cloud report access tokens
Security & Multi-Tenancy
Apply granular tool-level filtering based on operation safety (read, write, destructive)
Support multi-tenant deployments with distinct API credentials and base URLs per environment
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@tie-mcp-serverlist all active directory users"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
TIE MCP Server
Model Context Protocol (MCP) server for Tenable Identity Exposure API.
Features
Complete coverage of all 131 TIE API operations (one MCP tool per endpoint)
Additional convenience tools for discovery and navigation (2 custom tools)
Client-side credential management for security
Multi-tenant support (multiple TIE environments)
Granular tool-level security controls
Auto-generated tool definitions from the OpenAPI specification
Related MCP server: cipp-mcp
Installation
The server runs as a local subprocess of your MCP client and communicates over stdio. Choose one of the following.
Option A — npx (recommended, once published)
No local clone or build. Reference it directly from your MCP client config (see Configuration):
{ "command": "npx", "args": ["-y", "tie-mcp-server"] }Option B — from source
git clone <repo-url> tie-mcp-server
cd tie-mcp-server
npm install # also builds via the `prepare` script
npm run build # (re-run after any source change)Then point your client at the built entry point, e.g.
node /absolute/path/to/tie-mcp-server/build/index.js.
Option C — Docker
A multi-stage Dockerfile is provided for users who prefer not to install
Node locally. Build the image:
docker build -t tie-mcp-server .Because the server speaks MCP over stdio, the container must be run
interactively (-i) with credentials passed as environment variables:
{
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "TIE_BASE_URL",
"-e", "TIE_API_KEY",
"tie-mcp-server"
],
"env": {
"TIE_BASE_URL": "https://customer.tenable.ad",
"TIE_API_KEY": "your-api-key-here"
}
}Note: This is a per-user local tool using stdio transport, so Docker Compose is not applicable (there is no long-running network service to orchestrate). Docker is offered only to bundle the Node runtime. If you need a centrally-hosted, multi-client gateway, that requires switching to MCP's HTTP/SSE transport first — see Hosting as a shared service.
Configuration
The MCP server requires two environment variables:
TIE_BASE_URL- Your TIE instance URL (e.g.,https://customer.tenable.ad)TIE_API_KEY- Your TIE API key
Single Environment Setup
Add to your MCP client configuration (e.g., ~/.claude/settings.json):
{
"mcpServers": {
"tie": {
"command": "node",
"args": ["/path/to/tie-mcp-server/build/index.js"],
"env": {
"TIE_BASE_URL": "https://customer.tenable.ad",
"TIE_API_KEY": "your-api-key-here"
}
}
}
}Multiple Environments Setup
For multiple TIE environments, add multiple server instances:
{
"mcpServers": {
"tie-prod": {
"command": "node",
"args": ["/path/to/tie-mcp-server/build/index.js"],
"env": {
"TIE_BASE_URL": "https://prod.tenable.ad",
"TIE_API_KEY": "prod-key"
}
},
"tie-staging": {
"command": "node",
"args": ["/path/to/tie-mcp-server/build/index.js"],
"env": {
"TIE_BASE_URL": "https://staging.tenable.ad",
"TIE_API_KEY": "staging-key"
}
}
}
}Development
# Install dependencies
npm install
# Regenerate tool definitions from the OpenAPI spec (writes src/generated/tools.ts)
npm run generate:tools
# (Optional) Generate TypeScript API types from the OpenAPI spec
npm run generate:client
# Build the project
npm run build
# Watch mode for development
npm run watch
# Run without building (development)
npm run dev
# Type checking
npm run typecheck
# Linting
npm run lintSecurity
Client-Side Credentials
Credentials are never stored in the MCP server code. They must be configured on the client side (MCP client config) and passed as environment variables to the server process.
Tool-Level Filtering
Organizations can filter tools by operation type for granular security control:
{
"mcpServers": {
"tie": {
"command": "node",
"args": ["/path/to/tie-mcp-server/build/index.js"],
"env": {
"TIE_BASE_URL": "https://customer.tenable.ad",
"TIE_API_KEY": "key"
},
"allowedTools": ["get_*", "list_*", "search_*"],
"deniedTools": ["delete_*"]
}
}
}Tool categories by risk level (the safety field on each generated descriptor):
🟢 read (70 tools):
get_*,list_*,search_*,export_*🟡 write (51 tools):
create_*,update_*,set_*, plus actions likecommit_*,login🔴 destructive (10 tools):
delete_*,unstage_*
Server-side safety filter
Beyond the client's allowedTools/deniedTools, the server itself honors a
TIE_ALLOWED_SAFETY environment variable. Set it to a comma-separated list of
tiers to advertise only those tools — e.g. read for a strictly read-only
deployment, or read,write to disable destructive operations entirely:
{
"mcpServers": {
"tie-readonly": {
"command": "node",
"args": ["/path/to/tie-mcp-server/build/index.js"],
"env": {
"TIE_BASE_URL": "https://customer.tenable.ad",
"TIE_API_KEY": "key",
"TIE_ALLOWED_SAFETY": "read"
}
}
}
}Architecture
Rather than hand-writing a handler per endpoint, tool definitions are generated from the OpenAPI spec into a single data file, and one generic dispatcher turns any descriptor + arguments into an HTTP request.
scripts/
└── generate-tools.mjs # Parses the OpenAPI spec -> src/generated/tools.ts
src/
├── index.ts # MCP server: registers tools, routes calls
├── config.ts # Environment configuration
├── client.ts # HTTP client for TIE API (axios)
├── dispatch.ts # Generic descriptor -> HTTP request dispatcher
├── custom-tools.ts # Hand-written convenience/discovery tools
└── generated/ # Auto-generated — do not edit by hand
└── tools.ts # 131 ToolDescriptor entries (name, method, path, schema)Generated vs Custom Tools
Generated tools (src/generated/tools.ts): One-to-one mappings of TIE API
endpoints. Regenerate whenever the TIE API spec changes:
npm run generate:toolsCustom tools (src/custom-tools.ts): Hand-written convenience tools that
compose multiple API calls or provide discovery/navigation helpers. These survive
regeneration and are merged with generated tools at server startup.
Current custom tools:
get_topology- Returns Infrastructure→Directory hierarchy treeget_preferred_profile- Returns user's default profile from preferences
Custom tools follow the same CustomTool interface ({name, description, category, safety, inputSchema, handler}) and are dispatched alongside generated tools.
Available Tools
The server exposes 133 tools total:
131 generated tools from
src/generated/tools.ts(one per TIE API endpoint)2 custom tools from
src/custom-tools.ts(convenience/discovery helpers)
See TOOL_NAMING_CONVENTION.md for the naming scheme and the (historical) 88-endpoint reference list.
Discovery Tools
// Get user's preferred profile (from preferences)
get_preferred_profile()
// Returns: { preferredProfileId: 2, preferredProfileName: "Contoso" }
// Get infrastructure→directory topology tree
get_topology()
// Returns: [{ id, name, directories: [{id, name, status}] }]Generated Tool Examples
// Get system information
get_about()
// List attacks for a profile
list_attacks({ profileId: "profile-123" })
// Search events
search_events({
query: { /* search criteria */ }
})
// Create infrastructure
create_infrastructure({
name: "Production",
description: "Production environment"
})
// Update deviance
update_deviance({
infrastructureId: "infra-1",
directoryId: "dir-1",
devianceId: "dev-1",
data: { status: "resolved" }
})Hosting as a shared service
This server currently uses stdio transport: the MCP client spawns it as a local child process. That model is correct for a per-user desktop tool and is why distribution is via npm/npx (or a plain Docker image), not Docker Compose.
To instead run one centrally-hosted instance that many remote clients
connect to, the server would need to switch to MCP's streamable HTTP/SSE
transport (replacing StdioServerTransport in src/index.ts with the HTTP
server transport and adding a listening port). At that point it becomes a
standing network service, and Docker — optionally with Compose behind a reverse
proxy for TLS and authentication — becomes the appropriate deployment. This is
a deliberate, separate change and is not implemented today.
API Documentation
License
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/taherkaraki/tie-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server