Access and permissions for Zuora AI
Understand how Zuora AI access is controlled by tenant settings, user permissions, and organizational guardrails.
Zuora AI access and permissions are controlled at both the tenant and user levels, follow existing Zuora role-based access controls, and always require explicit approval for write actions in the Zuora AI product experience. The tenant-level mode also controls what Zuora MCP allows when connected to third-party AI tools. Zuora AI follows the same access controls as Zuora. A user can only view data or perform actions that their Zuora permissions allow.
Tenant-level AI access
A OneID Organization Admin controls AI access for each tenant from Zuora OneID Admin.
The following tenant-level permission modes are available:
| Mode | Description |
|---|---|
| Off | Zuora AI is disabled for the tenant. No read or write activity is available. |
| Read-Only | Zuora AI can answer questions, query data, generate insights, and display summaries. It cannot make changes to Zuora data. |
| Read-Only (opted into Supervised mode) | Behaves the same as Read-Only. Indicates that the tenant will automatically move to Supervised mode on its scheduled rollout date unless an administrator opts out by setting the tenant to Read-Only. For more detailed information, see Set a tenant to Read-Only mode. |
| Supervised | Zuora AI can perform read actions and can propose actions that modify Zuora data. Write actions require explicit user approval before they are executed. Impact on MCP: Supervised exposes read and write tools; per-action approval for writes performed through MCP is enforced by the connected third-party tool, not by Zuora. For more detailed information, see About Zuora MCP and customer responsibilities. |
Only a OneID Organization Admin can change the tenant-level AI permission mode.
For information about the current rollout schedule and how to opt out, see Supervised mode for Zuora AI.
User-level access
After Zuora AI is enabled at the tenant level, user access depends on the Zuora application.
In Zuora Billing, users can access Zuora AI when AI is enabled for the tenant. Each user's effective access is determined by the tenant-level AI permission mode and the user's individual Zuora permissions.
In Zuora Revenue, users must have the AI permission explicitly enabled. Users who do not have this permission cannot see the Zuora AI interface, regardless of the tenant-level AI setting.
How existing permissions apply
Zuora AI uses the same API layer and role-based access control as manual actions in Zuora.
For example, if you do not have permission to post an invoice in the standard Zuora UI, you cannot post an invoice through Zuora AI.
Zuora AI does not bypass permissions, segregation of duties, or approval workflows. You can only view data and perform actions for the Zuora products and objects that you have permission to access.
Approval for write actions in the Zuora AI product experience
Zuora AI does not perform write actions automatically. When a write action is available, Zuora AI shows the action it plans to take and waits for your approval.
You can review the proposed action before you confirm or decline it.
About Zuora MCP and customer responsibilities
Zuora MCP is a Model Context Protocol endpoint that allows approved third-party AI tools, such as Claude Desktop, Cursor, or custom agents, to read and write data in your Zuora tenant on your behalf. When a tenant is in Supervised mode, Zuora MCP exposes both read and write tools. Zuora enforces a per-action approval step for write actions in the Zuora AI product experience. However, Zuora cannot enforce that approval step for write actions performed through Zuora MCP because the approval flow is handled by the calling client. Many MCP clients prompt users before running a write action, but the behavior depends on the client. Customers using Zuora MCP are responsible for the following:
- Selecting MCP clients that prompt users for approval before running write actions, and confirming that approval settings are enabled.
- Reviewing custom agents and automations before connecting them to a production tenant.
- Controlling which users in the organization are allowed to connect third-party AI tools to a Zuora tenant.
- Protecting Zuora MCP credentials with the same care as any other API credential that can write to Zuora.
To keep Zuora MCP read-only for a tenant, an organization administrator can set the tenant mode to Read-Only in Zuora OneID. There is no separate setting that enables writes for the in-product Zuora AI experience while keeping Zuora MCP read-only.