Back to Research

Cursor team controls for admins

Cursor team controls for admins as an operating guide: connector stewards, mutex paths, review receipts, and rules that stay trustworthy.

An Abbey by a Wooded Lake at Twilight, landscape painting by Paul Huet (1831).
Rogier MullerMay 5, 20266 min read

Cursor team controls are the admin layer in Cursor, Anysphere's AI code editor, that decides which rules, connectors, and agent permissions every seat inherits. The settings are easy to turn on. The hard part is leaving a trail, so that when a reviewer asks why an agent touched a file, there is a written answer instead of a chat-history excavation. Most production incidents I have watched started the same way: an MCP call that looked harmless until the credentials scrolled past in the transcript.

So this guide is less about flipping switches and more about the evidence each switch should produce. Four small habits turn admin settings into review evidence.

Treat the repo as the real governance layer

The admin console does not really govern your agents. The repo does. The console mirrors what your files state in writing, and an agent will follow what is written long before it infers what you meant.

The failure mode is predictable. Teams enable connectors faster than they assign owners, then act surprised when an unowned capability causes an incident. Think of admin settings, repo rules, and human review as three layers of defense, each with a few gaps. An unowned connector is a gap drilled clean through all three at once.

The fix for every problem below is the same shape: write the intent down where a reviewer can cite it, and make each agent run leave a receipt.

Stop parallel subagents from colliding

If you have ever spawned subagents, you have probably cleaned duplicate edits out of one module. Isolated windows each inherit a partial picture of the repo, so two of them happily rewrite the same file.

The fix is a mutex path. List directories in AGENTS.md where only one subagent may run per PR. After that, you get git conflicts instead of silent duplication, and a noisy git conflict is the much cheaper failure.

Make every agent PR carry a receipt

Cursor Blame exists and reviewers still skip attribution, because a blame UI cannot replace a clear PR description. When the PR body is empty, the blame links decorate the diff without answering anything.

A review receipt fixes this. The PR description lists the parent intent, the child scopes, and the verification transcript. Now blame links answer "why here," and review gets cheaper because nobody has to reconstruct the run from memory. Here is the minimum a receipt should contain:

## Review receipt

- Parent intent: <one line on what this PR is for>
- Child scopes: <which subagent touched which folders>
- MCP connectors fired: <names, or "none">
- Verification: <command run + pasted output, or a link>
- Red-folder paths: <none, or who acknowledged them>

Give every MCP connector a named steward

Where Cursor MCP is enabled, connectors multiply faster than ownership. Hosts approve a new capability in seconds; assigning a human to answer for it takes a meeting nobody schedules. The Model Context Protocol specification defines what a connector may do. It cannot define who answers for it when something looks wrong.

So write the owner down. A named human and a rotation schedule sit beside each MCP entry in the repo. Connector changes stop landing as anonymous convenience, and a reviewer always knows who to ask.

Put your .mdc rules on a glob diet

When .mdc globs are broad, agents inherit contradictory guidance. If every rule is active everywhere, no single rule is trusted, and the agent picks whichever fragment it saw last.

Split Cursor Rules by folder concern, and ban the mega-glob unless it is paired with explicit exceptions. Then a reviewer can cite the one governing file without a scavenger hunt:

---
description: Delegation boundary snapshot (adapt globs to your repo)
globs:
  - "**/*"
alwaysApply: false
---

- Cursor: keep scopes explicit in `.mdc`; forbid undeclared MCP domains.
- Claude Code: cite `CLAUDE.md` precedence before expanding bash scope.
- Codex: ensure `AGENTS.md` carries replay-friendly verification notes for CLI runs.

The agent surface itself is documented under Cursor Agent and Cursor Skills, and the changelog is where admin-relevant defaults change. The gates below are what your team adds on top, so a reviewer can check the same four things every time:

Gate Question
Connector truth Which MCP servers fired, and were they expected?
Reviewer path Can someone unfamiliar trace intent without chat replay?
Risk routing Were red folders touched, and who approved?
Replay proof Which commands prove regression guards?

One thing stays off autopilot no matter how good the receipts get: threat models, customer promises, and blast-radius calls belong to humans. Agents amplify whatever clarity already lives in your files and scopes, and they amplify the silence just as well.

Common questions

  • What are Cursor team controls?

    Cursor team controls are the admin layer that decides which rules, connectors, and agent permissions every seat inherits. The settings only govern what your repo states in writing, so pair them with receipts: mutex paths in AGENTS.md, review receipts in PR bodies, named connector stewards, and scoped .mdc rules a reviewer can cite.

  • Who should own an MCP connector?

    A named human with a rotation schedule, written beside the connector entry in the repo. Hosts approve capability faster than teams assign stewards, which is how sprawl starts. Once a steward exists, connector changes stop landing as anonymous convenience, and a reviewer knows exactly who to ask when a transcript looks wrong.

  • What belongs in a PR from an agent run?

    Parent intent, child scopes, and the verification transcript, plus an explicit acknowledgement when red-folder paths were touched. That receipt lets someone unfamiliar trace the work without replaying the chat. It is the difference between blame links that answer questions and blame links that only decorate the diff.

  • How do admins keep .mdc rules from sprawling?

    Put them on a glob diet: split rules by folder concern and ban broad globs unless they come with explicit exceptions. When everything is active, nothing is trusted. When each folder names its governing file, a reviewer can cite the rule that applied without hunting through every .mdc in the tree.

  • Where does this fit with security review?

    The adjacent pattern, routing risky changes through red folders and triaging findings, is worked out in Cursor Security Review beta. The wider delegation patterns, including how subagents and skills hand work to each other, live in the subagents and skills topic hub.

Start with one connector this week

Pick one connector, name its steward in the repo, and require the review receipt on the next agent PR. If you want an outside look at your team controls before they meet an incident, book a 15-minute sync.

Related training topics

Related research

Ready to start?

Transform how your team builds software.

Book a 15-minute sync