# Scopes

The **Custom Scopes** view is where you define and review the scopes available in your tenant. This includes platform scopes, tenant-defined scopes, and scopes generated for custom entities.

Custom scopes are the starting point for access setup across your organization:

* **Employee access** - users in your organization who work in the Management Dashboard.
* **Customer access** - external users, for example B2B buyers or partner users.
* **Integrations** - API clients that use tenant scopes in tokens.

As a tenant administrator, you manage the scopes that apply to your tenant and then use them in [Access Controls](/ce/management-dashboard/administration/access-controls.md) to grant the right level of access to groups.

<figure><img src="/files/acV8eCFqoVibWxq1pd2l" alt="Scopes view"><figcaption><p>Scopes view</p></figcaption></figure>

Benefits for your organization:

* **Instant control:** Tenant administrators can define and update access rules on their own, without opening an IT ticket.
* **Seamless coverage:** The same scope model applies to **employees**, **customers**, and **OAuth2** integrations, so you avoid a patchwork of unrelated mechanisms.
* **Future-proof:** New business units, partners, or custom data can be covered as you extend the model.
* **Transparency:** You can see and manage scopes in one place instead of guessing who can reach which data or APIs.

With custom scopes, you decide who can access what across internal users, external users, and integrations, while keeping the model clear and consistent.

**Example:**

If your organization has separate teams for order fulfillment by market, you can define scopes that reflect those responsibilities (for example, order view and order manage scopes). You can then reuse the same scopes in access controls for employee groups such as `DE Order Fulfillment` and `FR Order Fulfillment`, and for customer-facing use cases where needed.

## Creating a scope

Where the product allows it, you can add a **tenant-defined scope** (for example to label a business capability such as order management or catalog read-only).

{% stepper %}
{% step %}

#### Choose to create a new scope

In the **Administration** module, go to the **Scopes** view and choose the **Create Scope** action.
{% endstep %}

{% step %}

#### Provide the scope details

Provide the scope **Name**, for example, *order\_manage* or *catalog\_viewer*. You can add an optional description that explains the purpose and capabilities of the access control.

<figure><img src="/files/RpGYoWBOvYF2s1DNMJlB" alt="Creating a scope" width="400"><figcaption><p>Creating a custom scope</p></figcaption></figure>
{% endstep %}

{% step %}

#### Save your changes

When you're done, choose **Save**. The scope is added to the list.
{% endstep %}
{% endstepper %}

## Custom entities and custom scopes

When you define a **custom entity** for your tenant, the platform generates a standard set of scopes for that entity, such as:

* `<entity>.<entity>_read`
* `<entity>.<entity>_manage`
* `<entity>.<entity>_readOwn`
* `<entity>.<entity>_manageOwn`

These scopes are available for use in IAM (including [access controls](/ce/management-dashboard/administration/access-controls.md)) so they can be requested on OAuth2 access tokens for API credentials.

**Example:** If you add a custom entity such as `approval_request`, the platform generates scopes for reading and managing that entity. You can then include those scopes in access controls for employee groups that handle approvals.

### Custom scopes behavior for the custom entities

In the Management Dashboard, assigning an access control to a user group can make a custom instance built with custom entity visible even when the corresponding custom scopes are missing. In that case, users can open the node but the page content remains empty until the required scopes are included in the assigned access control.

Scope levels determine how much data a user can see:

* Global scopes for the entity, such as `<entity>.<entity>_read` and `<entity>.<entity>_manage`, provide access to all instances in that custom entity, regardless of who created them.
* Ownership-limited scopes, such as `<entity>.<entity>_readOwn` and `<entity>.<entity>_manageOwn`, provide access only to instances created by the user.

For custom entity instances, this means users with global scopes can see all records, while users with `_own` scopes see only their own records.

### Media visibility in custom instances

When a custom instance is created, the media tab that is used for uploading files is available for users only when they have a media.asset\_read scope added.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.emporix.io/ce/management-dashboard/administration/scopes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.