Delegation
Delegation controls which teams can add resources and whether projects can extend team configurations.
Organization to Team Delegation
Section titled “Organization to Team Delegation”Define which teams can add plugins and MCP servers:
{ "delegation": { "teams": { "allow_additional_plugins": ["*"], "allow_additional_mcp_servers": ["platform", "data"] } }}| Field | Meaning |
|---|---|
["*"] | All teams can add this resource type |
["team1", "team2"] | Only listed teams can add |
[] or missing | No team can add this resource type |
Example: Restrictive Delegation
Section titled “Example: Restrictive Delegation”{ "delegation": { "teams": { "allow_additional_plugins": ["platform"], "allow_additional_mcp_servers": [] } }}Only the platform team can add plugins. No team can add MCP servers.
Example: Permissive Delegation
Section titled “Example: Permissive Delegation”{ "delegation": { "teams": { "allow_additional_plugins": ["*"], "allow_additional_mcp_servers": ["*"] } }}All teams can add both plugins and MCP servers.
Team to Project Delegation
Section titled “Team to Project Delegation”Each team profile controls whether projects can add resources:
The org must also enable project delegation via delegation.projects.inherit_team_delegation: true.
{ "delegation": { "projects": { "inherit_team_delegation": true } }, "profiles": { "backend": { "delegation": { "allow_project_overrides": true } }, "security": { "delegation": { "allow_project_overrides": false } } }}allow_project_overrides
Section titled “allow_project_overrides”| Value | Effect |
|---|---|
true | Projects can use .scc.yaml to add resources |
false | Projects cannot add anything beyond team config |
Plugin and MCP Allowlists
Section titled “Plugin and MCP Allowlists”Allowlist patterns for what teams/projects can add live in defaults:
{ "defaults": { "allowed_plugins": ["project-*", "linter-*"], "allowed_mcp_servers": ["*.internal.example.com", "corp-*"] }}Teams/projects can only add resources matching these patterns (if set).
Delegation Chain
Section titled “Delegation Chain”A project can only add a resource if:
- The organization enables project delegation (
delegation.projects.inherit_team_delegation: true) - The team has
allow_project_overrides: true - The resource matches
defaults.allowed_plugins/defaults.allowed_mcp_servers(if set) - The resource doesn’t match any security block
Organization enables project delegation ↓Team "backend" has allow_project_overrides: true ↓Project adds "project-linter" in .scc.yaml ↓"project-linter" matches defaults.allowed_plugins ↓"project-linter" is not in blocked_plugins ↓✓ Addition allowedDenied Additions
Section titled “Denied Additions”When a resource is denied, SCC tracks the reason:
scc config explain --field deniedUse --json if you need machine-readable reasons:
scc config explain --json | jq '.data.denied_additions'Example: Complete Delegation Setup
Section titled “Example: Complete Delegation Setup”{ "defaults": { "allowed_plugins": ["react-*", "project-*"], "allowed_mcp_servers": ["*.internal.example.com", "corp-*"] }, "delegation": { "teams": { "allow_additional_plugins": ["backend", "frontend", "platform"], "allow_additional_mcp_servers": ["platform", "data"] }, "projects": { "inherit_team_delegation": true } }, "profiles": { "backend": { "description": "Backend team - flexible", "delegation": { "allow_project_overrides": true } }, "frontend": { "description": "Frontend team - moderate", "delegation": { "allow_project_overrides": true } }, "security": { "description": "Security team - locked down", "delegation": { "allow_project_overrides": false } }, "platform": { "description": "Platform team - can add MCP servers", "delegation": { "allow_project_overrides": true } } }}Bypassing Delegation
Section titled “Bypassing Delegation”For urgent needs, developers can use local overrides:
scc unblock some-plugin --ttl 8h --reason "Testing integration"This creates a time-limited exception. See Exceptions for details.