Scopes

The Custom Scopes view is where you define and review the scopes available in your tenant. This includes platform scopes, tenant-defined scopes, and scopes generated for custom entities.

Custom scopes are the starting point for access setup across your organization:

• Employee access - users in your organization who work in the Management Dashboard.

• Customer access - external users, for example B2B buyers or partner users.

• Integrations - API clients that use tenant scopes in tokens.

As a tenant administrator, you manage the scopes that apply to your tenant and then use them in Access Controls to grant the right level of access to groups.

Benefits for your organization:

• Instant control: Tenant administrators can define and update access rules on their own, without opening an IT ticket.

• Seamless coverage: The same scope model applies to employees, customers, and OAuth2 integrations, so you avoid a patchwork of unrelated mechanisms.

• Future-proof: New business units, partners, or custom data can be covered as you extend the model.

• Transparency: You can see and manage scopes in one place instead of guessing who can reach which data or APIs.

With custom scopes, you decide who can access what across internal users, external users, and integrations, while keeping the model clear and consistent.

Example:

If your organization has separate teams for order fulfillment by market, you can define scopes that reflect those responsibilities (for example, order view and order manage scopes). You can then reuse the same scopes in access controls for employee groups such as DE Order Fulfillment and FR Order Fulfillment, and for customer-facing use cases where needed.

Creating a scope

Where the product allows it, you can add a tenant-defined scope (for example to label a business capability such as order management or catalog read-only).

1

Choose to create a new scope

In the Administration module, go to the Scopes view and choose the Create Scope action.

2

Provide the scope details

Provide the scope Name, for example, order_manage or catalog_viewer. You can add an optional description that explains the purpose and capabilities of the access control.

3

Save your changes

When you're done, choose Save. The scope is added to the list.

Custom entities and custom scopes

When you define a custom entity for your tenant, the platform generates a standard set of scopes for that entity, such as:

• <entity>.<entity>_read

• <entity>.<entity>_manage

• <entity>.<entity>_readOwn

• <entity>.<entity>_manageOwn

These scopes are available for use in IAM (including access controls) so they can be requested on OAuth2 access tokens for API credentials.

Example: If you add a custom entity such as approval_request, the platform generates scopes for reading and managing that entity. You can then include those scopes in access controls for employee groups that handle approvals.

Custom scopes behavior for the custom entities

In the Management Dashboard, assigning an access control to a user group can make a custom instance built with custom entity visible even when the corresponding custom scopes are missing. In that case, users can open the node but the page content remains empty until the required scopes are included in the assigned access control.

Scope levels determine how much data a user can see:

• Global scopes for the entity, such as <entity>.<entity>_read and <entity>.<entity>_manage, provide access to all instances in that custom entity, regardless of who created them.

• Ownership-limited scopes, such as <entity>.<entity>_readOwn and <entity>.<entity>_manageOwn, provide access only to instances created by the user.

For custom entity instances, this means users with global scopes can see all records, while users with _own scopes see only their own records.

Media visibility in custom instances

When a custom instance is created, the media tab that is used for uploading files is available for users only when they have a media.asset_read scope added.