Delegation
Delegation controls which teams can add resources and whether projects can extend team configurations.
Organization to Team Delegation
Section titled “Organization to Team Delegation”Define which teams can add plugins and MCP servers:
{ "delegation": { "teams": { "allow_additional_plugins": ["*"], "allow_additional_mcp_servers": ["platform", "data"] } }}| Field | Meaning |
|---|---|
["*"] | All teams can add this resource type |
["team1", "team2"] | Only listed teams can add |
[] or missing | No team can add this resource type |
Example: Restrictive Delegation
Section titled “Example: Restrictive Delegation”{ "delegation": { "teams": { "allow_additional_plugins": ["platform"], "allow_additional_mcp_servers": [] } }}Only the platform team can add plugins. No team can add MCP servers.
Example: Permissive Delegation
Section titled “Example: Permissive Delegation”{ "delegation": { "teams": { "allow_additional_plugins": ["*"], "allow_additional_mcp_servers": ["*"] } }}All teams can add both plugins and MCP servers.
Team to Project Delegation
Section titled “Team to Project Delegation”Each team profile controls whether projects can add resources:
{ "profiles": { "backend": { "delegation": { "allow_project_overrides": true, "allow_additional_plugins": ["project-*", "team-*"] } }, "security": { "delegation": { "allow_project_overrides": false } } }}allow_project_overrides
Section titled “allow_project_overrides”| Value | Effect |
|---|---|
true | Projects can use .scc.yaml to add resources |
false | Projects cannot add anything beyond team config |
allow_additional_plugins (Team Level)
Section titled “allow_additional_plugins (Team Level)”Patterns for what plugins projects can add:
{ "delegation": { "allow_additional_plugins": ["project-*", "linter-*"] }}Projects can only add plugins matching these patterns.
Delegation Chain
Section titled “Delegation Chain”A project can only add a resource if:
- The organization has delegated that resource type to the team
- The team has
allow_project_overrides: true - The resource matches the team’s
allow_additional_pluginspatterns (if specified) - The resource doesn’t match any security block
Organization delegates "plugins" to team "backend" ↓Team "backend" has allow_project_overrides: true ↓Team "backend" has allow_additional_plugins: ["project-*"] ↓Project adds "project-linter" in .scc.yaml ↓"project-linter" matches "project-*" pattern ↓"project-linter" is not in blocked_plugins ↓✓ Addition allowedDenied Additions
Section titled “Denied Additions”When a resource is denied, SCC tracks the reason:
scc config explainOutput:
denied_additions: - some-mcp-server (requested_by: project, reason: team not delegated for MCP) - custom-plugin (requested_by: project, reason: team disallows project overrides)Example: Complete Delegation Setup
Section titled “Example: Complete Delegation Setup”{ "delegation": { "teams": { "allow_additional_plugins": ["*"], "allow_additional_mcp_servers": ["platform", "data"] } }, "profiles": { "backend": { "description": "Backend team - flexible", "delegation": { "allow_project_overrides": true, "allow_additional_plugins": ["*"] } }, "frontend": { "description": "Frontend team - moderate", "delegation": { "allow_project_overrides": true, "allow_additional_plugins": ["react-*", "vue-*", "angular-*"] } }, "security": { "description": "Security team - locked down", "delegation": { "allow_project_overrides": false } }, "platform": { "description": "Platform team - can add MCP servers", "delegation": { "allow_project_overrides": true } } }}Bypassing Delegation
Section titled “Bypassing Delegation”For urgent needs, developers can use local overrides:
scc unblock some-plugin --ttl 8h --reason "Testing integration"This creates a time-limited exception. See Exceptions for details.