# Access Controls

The **Access Controls** view lets tenant administrators combine scopes into reusable access sets for user groups.

<figure><img src="/files/c14xvsscSu82BiHfmHfw" alt="Access controls"><figcaption><p>Access controls</p></figcaption></figure>

Each access control consists of a set of scopes that define what a user group is permitted to do. The predefined access controls align with the default navigation tree setup, where each domain corresponds to a specific navigation node.

Instead of setting permissions one by one, you assign a prepared access control to the right group. When a custom access control is assigned to a group, users in that group receive:

* Platform default scopes (baseline access expected for the product), and
* Tenant-specific custom scopes included in that access control (including scopes **generated for custom entities** when you add them to the access control).

Access controls are used for people in your tenant:

* Employee access - internal users (for example by team or region).
* Customer access - external users such as B2B buyers or partners.

For integrations, the same scope names are used in API credentials and tokens, but they are managed outside user groups.

**Example:**

You can create an access control such as `Order Fulfillment Manager` that includes order-related manage scopes and read access to supporting entities. Assign it to employee groups by region (for example `DE Fulfillment Managers` and `FR Fulfillment Managers`) so each group gets the same access model and only their group membership differs.

## Managing access controls

From the **Access Controls** view you can do the following:

* Create and edit access controls
* Filter or search access controls by name.
* Open an access control to review or adjust the list of scopes.
* Remove access controls that are obsolete or no longer used.

{% hint style="warning" %}
Access controls are assigned to user groups in the **Users and Groups** section. Review group configuration whenever you change or delete access controls so users keep the access you intend.
{% endhint %}

{% hint style="success" %}
Adding or extending custom scopes does not break existing users and integrations: users and API clients that rely only on previously granted standard scopes continue to behave as before until you explicitly assign new scopes.
{% endhint %}

### Creating an access control

To define a new access control:

{% stepper %}
{% step %}

#### Choose to create access control

In the **Administration** module, go to **Access Controls** and select the **Create Access Control** action.
{% endstep %}

{% step %}

#### Provide the access control details

Provide a **Name** and optional description that clearly state the purpose of the access control, for example *order\_manager* or *catalog\_viewer*.

<figure><img src="/files/bKFuJGLQI1t7AERg6Ex2" alt="Access control creation"><figcaption><p>Creating an access control</p></figcaption></figure>
{% endstep %}

{% step %}

#### Select the **scopes** for the access control

Scopes are listed in the [Scopes](/ce/management-dashboard/administration/scopes.md) - they may include platform scopes, tenant-defined scopes, and scopes generated for [custom entities](/ce/management-dashboard/administration/scopes.md#custom-entities-and-the-same-authorization-model).

For example, if a group is supposed to manage products but only view categories, include the corresponding product manage scope and category read scope within the same access control.

<figure><img src="/files/3LKNN8wcS8nRt8XsDxR8" alt="Selecting scopes for access control"><figcaption><p>Selecting scopes for access control</p></figcaption></figure>
{% endstep %}

{% step %}

#### Save your changes

When you're done, choose **Save**. The access control is added to the list.
{% endstep %}
{% endstepper %}

## Custom entities and access controls

If an access control is assigned to a user group, users can see the corresponding node in the Management Dashboard navigation.

However, if a custom entity is created, and the access control does not include the required scopes for that area, the users can open the node but the view is empty. The content becomes visible only after the required scopes are included in the assigned access control.

For custom entities:

* Global scopes for the entity, such as `<entity>.<entity>_read` and `<entity>.<entity>_manage`, provide access to all instances in that custom entity, regardless of who created them.
* Ownership-limited scopes, such as `<entity>.<entity>_readOwn` and `<entity>.<entity>_manageOwn`, provide access only to instances created by the user.

If a user has global scopes for a custom entity, they can see all records in that entity instance. If they only have `_own` scopes, they see only records assigned to them or created by them.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.emporix.io/ce/management-dashboard/administration/access-controls.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.