Connecting Claude to your systems (MCP)
Working with Claude — CC BY 4.0
By default Claude only knows what you paste into the chat. That is deliberate, and it is safe. But real work lives in other places — a shared Drive, a Slack workspace, a database, a ticketing tool. MCP is the standard way to let Claude reach into those places and do something useful with them, without you copying everything across by hand.
This lesson explains what MCP is in plain terms, what it can and can’t touch, who decides, and the one caution that matters most: once Claude can reach your systems, you are the person accountable for what it does there.
MCP in plain language
MCP stands for Model Context Protocol. Think of it as a common plug. Instead of every tool needing its own bespoke wiring into Claude, MCP gives them all the same shape of connection — so a Drive, a Slack, a database and a tool someone built in-house can each present themselves to Claude the same way. Anthropic describes it as a universal way for the model to connect to the systems where your data actually lives.
In the Claude apps you’ll usually meet MCP through connectors — the friendly, pre-packaged version. There are two flavours:
- Ready-made connectors for common tools — Google Drive, Slack, GitHub, Linear and many more, listed in a connectors directory (hundreds of them at the time of writing). You pick one, sign in to that service, and Claude can then work with it.
- Custom connectors, where you (or your organisation) point Claude at your own MCP server — a database, an internal system, a bespoke tool. This is how a workshop connects Claude to something no directory covers.
You’ll typically find and switch these on under a Customize → Connectors area, and turn a connector on for a given chat using the “+” button or the “/” menu inside the conversation. (Menu names shift as the app updates — confirm the exact path in-app or in current docs.)
What Claude can actually reach
This is the part to hold onto, because it is where trust is either earned or lost.
A connector doesn’t hand Claude the keys to everything. Claude inherits your permissions in the source system, and nothing more. Anthropic is explicit about this: if you personally can’t open a particular file, channel or record, the connector can’t reach it from Claude either. Connect the company Drive and Claude sees what your account sees — not the whole company’s.
The second thing to hold onto: connectors aren’t only for reading. Depending on the tool, Claude can create, change and delete things — post a Slack message, open a ticket, edit a document, write to a database. That is exactly why they’re useful, and exactly why they need supervision. A connector that can send is a connector that can send the wrong thing.
Who sets the boundaries
On individual plans, you’re the boundary. You choose which connectors to switch on, you sign in, and you review what each one is allowed to do at the sign-in (OAuth) step before granting access. You can revoke that access at any time — from Claude’s settings, or from the other service’s own security settings.
On Team and Enterprise plans, an owner or admin sets the rules for everyone: they add connectors across the organisation and can limit which actions a connected service is allowed to take. That control can go right down to the individual tool — for each connector, or each action within it, an admin can set it to Always allow, Needs approval or Blocked, and an individual can’t override that. (Admin labels and menus shift as the product updates — confirm the current path in Anthropic’s admin docs.) There’s also an enterprise option (in beta at the time of writing) to authorise a connector once for the whole organisation, with staff inheriting access on first sign-in. If you’re doing this for a group, that’s the setting to plan around: it decides the default for people who will never read this lesson.
The custody caution — read this twice
Connecting Claude to your systems moves data out of the chat window and into a chain of services. Keep three things in view.
1. Where your data goes. When Claude works through a connector, the connected service processes that data on its own infrastructure, under its own terms — which may sit outside the country you’re in. Transfers are encrypted, but “encrypted in transit” is not the same as “stays where you think it stays”. If you handle client information, health or financial records, or anything touching Māori data sovereignty obligations, work out where a given connector actually sends data before you switch it on, not after.
2. Custom connectors are unverified by default. A ready-made connector has been through Anthropic’s directory. A custom one you point Claude at has not. Anthropic warns plainly that a malicious MCP server can carry hidden instructions designed to make Claude take actions you never asked for — a well-known risk called prompt injection. Only connect servers built by people you trust, and watch for behaviour that changes after a server updates.
3. You own the output. This is the through-line of the whole course. A connector doesn’t transfer accountability to the tool. If Claude, working through a connector, edits the wrong record or posts to the wrong channel, that is your action and your name on it. Start every connector read-only in your head: ask Claude to show you what it would do before you let it do anything that writes, sends or deletes. Review, then release.
Before you connect anything: which of your tools holds other people’s information, not just your own?
If Claude could read all of it, whose permission would you actually need first — and have you asked, or just assumed?
A safe first setup
- Pick one ready-made connector for a low-stakes tool you already use.
- Sign in, and read the permissions screen — don’t click through it blind.
- Ask Claude to read and summarise something first. Confirm it only sees what you’d expect.
- Only then try an action that writes — and check the result in the source tool, not just Claude’s word for it.
- Before connecting anything holding other people’s data, settle where that data is processed and who is allowed to reach it.
The legal points above are general education, not legal advice. For data-handling obligations specific to your organisation — including Māori data governance and privacy law — get advice from someone qualified.
Shared freely, in good faith. If it's been of value, a koha toward development and running costs is warmly welcomed.
Leave a koha →