MSTR BI Agent MCP Server
MicroStrategy MCP server that enforces row-level security via LDAP authentication, enabling authorized users to list projects, reports, and execute reports returning data as markdown tables.
README
MicroStrategy (MSTR) BI Agent MCP Server
Phase 1 of the Enterprise AI Architecture at our highly regulated state bank: a secure Model Context Protocol (MCP) server that wraps the MicroStrategy REST API, enforcing native Row-Level Security (RLS) and object-level permissions using Pass-Through LDAP Authentication.
This server is designed to integrate as an HTTP/SSE tool within Onyx (formerly Danswer), allowing our local Qwen 27B LLM to execute reports and return data to authorized bank employees without using master API keys.
Architecture Overview
[Bank Employee]
│
▼
[Onyx Web UI (SSO Authenticated)]
│
▼ (HTTP /sse request with User LDAP credentials/Basic Auth)
[MSTR MCP Server (Docker Container)]
│
├─► Dynamic Header Extraction
├─► Instantiates mstrio Connection (loginMode: 16 - LDAP)
│
▼ (REST request with User Context)
[MicroStrategy Library API / IServer]
Deliverables & Project Structure
src/server.py: Custom FastMCP server code with dynamic header parsing, pandas parsing, and rotating compliance logs.requirements.txt: Python package requirements (fastmcp,mstrio-py,pandas,tabulate,requests,urllib3).Dockerfile: Secure, non-root, lightweightslim-pythoncontainer definition.onyx_system_prompt.txt: Strict system instructions for Qwen 27B (forbids hallucinations, outlines tool calling pipeline).
Configuration Variables
The server is configured using the following environment variables:
| Variable | Description | Default |
|---|---|---|
MSTR_BASE_URL |
MicroStrategy Library REST API URL | https://localhost/MicroStrategyLibrary/api |
MSTR_PROJECT_ID |
Default MicroStrategy Project ID | "" (Required if querying specific project reports) |
MSTR_SSL_VERIFY |
Verify SSL certificates (True / False) |
True |
MSTR_MCP_TRANSPORT |
Server transport channel (sse / stdio) |
sse |
MSTR_MCP_HOST |
Host address to bind the SSE server to | 0.0.0.0 |
MSTR_MCP_PORT |
Port to bind the SSE server to | 8000 |
COMPLIANCE_LOG_PATH |
Destination file path for compliance audit log | mstr_mcp_compliance.log |
Quick Start & Deployment
1. Build the Container
Run this command from the root of this project:
# Standard Build
docker build -t mstr-mcp-server:latest .
# Proxy-aware Build (Required for internal bank deployments)
docker build \
--build-arg http_proxy="http://proxy.internal-bank.com:8080" \
--build-arg https_proxy="http://proxy.internal-bank.com:8080" \
-t mstr-mcp-server:latest .
2. Run the Container
Launch the container, mounting the log folder to your host's secure audit path:
docker run -d \
--name mstr-mcp-agent \
-p 8000:8000 \
-e MSTR_BASE_URL="https://mstr-library.internal-bank.com/MicroStrategyLibrary/api" \
-e MSTR_SSL_VERIFY="True" \
-v /var/log/mcp-audit:/app/logs \
mstr-mcp-server:latest
3. Register in Onyx Admin UI
- Go to Onyx Admin UI -> Tools -> Add Custom Tool.
- Select HTTP/SSE.
- Enter the SSE Endpoint URL:
http://<mstr-mcp-agent-ip>:8000/sse - Ensure Onyx is configured to pass the user's LDAP credentials (Basic Authentication header or custom
X-LDAP-*headers) down to the tool during invocation.
Exposed MCP Tools
The server registers three tools with FastMCP:
list_mstr_projects- Description: Retrieves all MicroStrategy projects the authenticated user's LDAP account is authorized to view.
- Arguments: None.
list_mstr_reports- Description: Lists all Reports, OLAP Cubes, and Super Cubes in the specified project.
- Arguments:
project_id(optional, string): MicroStrategy project ID. If omitted, uses the defaultMSTR_PROJECT_IDenv.
execute_mstr_report- Description: Runs a report or cube and returns the dataset as a clean Markdown table.
- Arguments:
report_id(required, string): ID of the report/cube.project_id(optional, string): MicroStrategy project ID.limit(optional, integer): Maximum number of rows to return (default is100to prevent context window bloat).
Auditing and Compliance
All actions are logged to the file specified in COMPLIANCE_LOG_PATH in a standardized, SIEM-parseable format.
- Username Masking: The username is always masked (e.g.,
jdo***) to prevent leaking PII. - Credential Protection: Passwords are never written to any log file.
- Data Protection: Raw dataset records/cells are never written to the audit log.
Log Example:
[2026-07-14 16:20:05] [INFO] [COMPLIANCE] User: jdo*** | Tool: execute_mstr_report | ProjectID: B129A8... | TargetID: R98721... | Status: SUCCESS | Details: Returned 45 rows
Development & Testing
For local verification on Python 3.10+, install dependencies:
pip install -r requirements.txt
To run the server in STDIO mode for testing (using local environment fallbacks):
export MSTR_USERNAME="test_ldap_user"
export MSTR_PASSWORD="test_ldap_password"
export MSTR_BASE_URL="https://mstr-library.internal-bank.com/MicroStrategyLibrary/api"
export MSTR_PROJECT_ID="YOUR_PROJECT_ID"
export MSTR_SSL_VERIFY="False" # For local testing
python src/server.py --transport stdio
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.