---
title: "Connect Drata to Claude: Manage Security Reports and User Roles"
slug: connect-drata-to-claude-manage-security-reports-and-user-roles
date: 2026-06-08
author: Uday Gajavalli
categories: ["AI & Agents"]
excerpt: "A step-by-step technical guide to connecting Drata to Claude via Truto's MCP Server. Learn to automate compliance workflows, user tracking, and security reporting."
tldr: "Connect Drata to Claude using Truto's MCP Server. This guide covers Drata API quirks, configuring the MCP server via UI and API, tool inventory, security filtering, and real-world compliance workflows."
canonical: https://truto.one/blog/connect-drata-to-claude-manage-security-reports-and-user-roles/
---

# Connect Drata to Claude: Manage Security Reports and User Roles


Integrating compliance platforms with LLMs shifts security operations from manual auditing to natural language investigations. If your team uses ChatGPT, check out our guide on [connecting Drata to ChatGPT](https://truto.one/connect-drata-to-chatgpt-audit-company-compliance-and-user-data/), or if you are building autonomous systems, read about [connecting Drata to AI Agents](https://truto.one/connect-drata-to-ai-agents-automate-security-and-user-tracking/).

This guide covers how to connect Drata to Claude using Truto's SuperAI [MCP Server](https://truto.one/what-is-an-mcp-server-the-2026-architecture-guide-for-saas-pms/). We will walk through configuring the MCP server, passing it to Claude, and executing real-world compliance workflows.

## The Engineering Reality of the Drata API

Building an integration with Drata is rarely a simple CRUD exercise. The API is built for strict auditing and compliance tracking, which introduces several specific challenges for automated systems and LLM function calling:

1.  **Deeply Nested Evidence Models:** Drata's data structures are heavy. A simple user record does not just return basic identity fields - it returns nested arrays of background checks, document signatures, identity providers, and role histories. LLMs can easily exceed context limits if you dump raw, unpaginated Drata arrays into the prompt.
2.  **Imprecise Cursor Behavior:** Paginating through thousands of compliance records often requires strict cursor management. If your agent attempts to manipulate or decode the `nextCursor` value, the API will reject the request. The cursor must be passed back exactly as received.
3.  **Strict Rate Limits:** Drata imposes strict rate limits to protect against bulk evidence scraping. **Truto does not retry, throttle, or apply backoff on rate limit errors.** When the Drata API returns an HTTP 429, Truto passes that error directly to the caller. Truto normalizes the upstream rate limit info into standardized headers (`ratelimit-limit`, `ratelimit-remaining`, `ratelimit-reset`) per the IETF spec. The caller (or your AI agent framework) is fully responsible for retry and backoff logic.

## How to Create the Drata MCP Server

Truto automatically generates Model Context Protocol (MCP) tools from the underlying Drata integration. You can provision an MCP server scoped to a single integrated Drata account via the Truto UI or programmatically via the API.

### Method 1: Via the Truto UI

1.  Log into your Truto environment and navigate to the integrated account page for your Drata connection.
2.  Select the **MCP Servers** tab.
3.  Click **Create MCP Server**.
4.  Configure your filters (e.g., restrict to `read` methods only for safe auditing) and set an optional expiration date.
5.  Copy the generated secure MCP server URL.

### Method 2: Via the API

You can dynamically provision MCP servers for your end users using the Truto API. This is ideal when embedding Claude-powered workflows directly into your own [SaaS application](https://truto.one/how-to-architect-a-multi-tenant-mcp-server-for-enterprise-b2b-saas/).

```bash
POST /integrated-account/:id/mcp
Authorization: Bearer <YOUR_TRUTO_API_TOKEN>
Content-Type: application/json

{
  "name": "Claude Drata Auditor",
  "config": {
    "methods": ["read"]
  },
  "expires_at": "2026-12-31T23:59:59Z"
}
```

The API securely hashes the token and returns a ready-to-use URL:

```json
{
  "id": "mcp_abc123",
  "name": "Claude Drata Auditor",
  "config": { "methods": ["read"] },
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6..."
}
```

## Connecting to Claude

Once you have the Truto MCP URL, you can connect it to Claude using either the visual interface or the desktop configuration file.

### Via the Claude UI (Web/Desktop)

1.  Open Claude and navigate to **Settings > Connectors**.
2.  Click **Add custom connector**.
3.  Paste your Truto MCP Server URL.
4.  Click **Add**. Claude will automatically ping the `/mcp/:token` endpoint, initialize the JSON-RPC 2.0 handshake, and load the Drata tools.

### Via Manual Configuration File

If you manage Claude Desktop via `claude_desktop_config.json`, you can configure it to use a remote SSE bridge or proxy script that connects to Truto's remote HTTP endpoint. Truto's endpoint natively speaks JSON-RPC 2.0.

```json
{
  "mcpServers": {
    "drata-auditor": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/proxy",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}
```

## Tool Inventory

Truto derives the Drata toolset dynamically. Tools map directly to the underlying REST resources, keeping execution close to the native API.

### Hero Tools

These are the high-value endpoints used most frequently in compliance and IT ops workflows.

#### 1. `list_all_drata_users`
*   **Description:** Lists all users in the Drata environment. Returns rich identity data including `id`, `email`, `roles`, `backgroundChecks`, `drataTermsAgreedAt`, and `documents`.
*   **Contextual Notes:** Use this to sweep the organization for un-onboarded employees or missing background checks. Ensure the LLM knows to respect the `next_cursor` parameter if the returned list is truncated.
*   **Example Prompt:** *"Pull a list of all users and find anyone who hasn't agreed to the Drata terms yet."*

#### 2. `get_single_drata_user_by_id`
*   **Description:** Fetches full, deep details of a specific Drata user by their ID.
*   **Contextual Notes:** Because the list endpoint can be heavy, it is often best to have the LLM fetch a summary list of users, and then iterate through flagged accounts using this tool to inspect their specific background check objects.
*   **Example Prompt:** *"Get the full compliance and identity profile for user ID 10425."*

For the complete tool inventory and full schema details, visit the [Drata integration page](https://truto.one/integrations/detail/drata).

## Workflows in Action

Here is how these tools look in practice when utilized by specific IT and Security personas.

### Use Case 1: Automating the Employee Compliance Audit (IT Admin)

> "Claude, check our Drata account for any users who have not completed their background checks or agreed to the required security policies. Give me a summary of their names and emails."

**Step-by-step execution:**
1.  Claude calls `list_all_drata_users` with no initial cursor.
2.  The Truto Proxy API queries Drata and returns the paginated JSON array of users.
3.  Claude inspects the `backgroundChecks` and `drataTermsAgreedAt` arrays within each user object.
4.  If a `next_cursor` is present, Claude calls `list_all_drata_users` again, passing the cursor exactly as received.
5.  Claude aggregates the filtered list and responds with a neat Markdown table of non-compliant employees.

### Use Case 2: Extracting the Executive Security Report (Security Lead)

> "Fetch the latest company compliance info and summarize our overall security report details and entitlement status for the executive team."

**Step-by-step execution:**
1.  Claude calls `list_all_drata_company_info`.
2.  The Truto proxy routes the request and returns the complex company metadata object.
3.  Claude processes the `securityReport` details, training/compliance status, and active connections.
4.  Claude writes a high-level summary paragraph highlighting any missing entitlements or lapsed connections, suitable for an executive Slack channel.

## Security and Access Control

Exposing a compliance platform like Drata to an LLM requires strict governance. Truto MCP servers operate with zero data retention and include several [robust security primitives](https://truto.one/understanding-mcp-server-security/):

*   **Method Filtering:** Restrict the server to safe operations. By setting `config.methods: ["read"]`, the MCP server will only expose GET/LIST tools, preventing Claude from accidentally modifying compliance states.
*   **Tag Filtering:** Group and isolate tools using `config.tags`. You can create an MCP server that only exposes tools tagged with `users` or `reports`.
*   **Require API Token Auth:** By setting `require_api_token_auth: true`, possession of the MCP URL is no longer enough. The connecting client must also supply a valid Truto API token via a Bearer header, adding a strict second layer of identity verification.
*   **Ephemeral Servers (`expires_at`):** Grant temporary auditor access. When you set an `expires_at` timestamp, Truto automatically invalidates the token and schedules a cleanup task to hard-delete the credentials from the database.

> Want to give your AI agents secure, native access to Drata and 100+ other enterprise SaaS platforms? Book a technical deep dive with the Truto engineering team.
>
> [Talk to us](https://cal.com/truto/partner-with-truto)