diff --git a/mcp/src/tools/permissions.test.ts b/mcp/src/tools/permissions.test.ts
index 7977f879..857e7f4c 100644
--- a/mcp/src/tools/permissions.test.ts
+++ b/mcp/src/tools/permissions.test.ts
@@ -155,6 +155,7 @@ describe("permission tools", () => {
         action: "getResourcePermission",
         resourceType: "noSqlDatabase",
         resourceId: "todos",
+        aclTag: "READONLY",
       },
     });
   });
diff --git a/mcp/src/tools/permissions.ts b/mcp/src/tools/permissions.ts
index ac13c97b..ab9528a5 100644
--- a/mcp/src/tools/permissions.ts
+++ b/mcp/src/tools/permissions.ts
@@ -380,9 +380,10 @@ export function registerPermissionTools(server: ExtendedMcpServer) {
             });
             logCloudBaseResult(server.logger, result);
             const permissions = result.Data.PermissionList ?? [];
+            const matchedPermission =
+              permissions.find((item) => item.Resource === resourceId) ?? permissions[0];
             const securityRule =
-              permissions.find((item) => item.Resource === resourceId)?.SecurityRule ??
-              permissions[0]?.SecurityRule;
+              matchedPermission?.SecurityRule;
             const hints = buildPermissionHints(securityRule, resourceId);
             return buildEnvelope(
               {
@@ -390,6 +391,7 @@ export function registerPermissionTools(server: ExtendedMcpServer) {
                 envId,
                 resourceType,
                 resourceId,
+                aclTag: matchedPermission?.Permission,
                 permissions,
                 hints,
                 raw: result,