2026-04-13: Schema Service - custom instance scopes, owner, and type-scoped access

Overview

This functionality is still under development and not yet fully complete. Updates to the Management Dashboard for this area are currently in progress.

The Schema Service now exposes finer-grained access for custom instances, returns ownership metadata on custom instances, and automatically provisions type-specific scopes when a custom entity type is created.

When a new custom schema type is created the platform provisions scopes for that type so clients can read and manage custom instances of that type using the custom.{lowerCaseType}_* pattern.

Custom instance APIs accept one of several scopes:

Read:
- schema.custominstance_read
- custom.{lowerCaseType}_read
- custom.{lowerCaseType}_read_own
Manage:
- schema.custominstance_manage
- custom.{lowerCaseType}_manage
- custom.{lowerCaseType}_manage_own

Tenant-wide scopes apply to all custom types, while type-specific scopes restrict access to a single custom entity type.

Custom instance responses include a read-only owner object indicating who created the instance: type (EMPLOYEE, CUSTOMER, or SERVICE), userId, and for customer owners an optional legalEntityId.

Updated Endpoints

Endpoint

Description

Creating a custom schema type

Creating a new type provisions scopes for reading and managing custom instances of that type.

Upserting a custom schema type

When the upsert creates a new type, scopes are provisioned for that type’s custom instances.

Retrieving all custom instances

Authorization now accepts type-specific read / read_own scopes; each item includes an owner property.

Retrieving a custom instance

Authorization now accepts type-specific read / read_own scopes; each item includes an owner property.

Searching for custom instances

Authorization now accepts type-specific read / read_own scopes; each item includes an owner property.

Creating a custom instance

Authorization now accepts type-specific manage / manage_own scopes.

Upserting a custom instance

Authorization now accepts type-specific manage / manage_own scopes.

Patching a custom instance

Authorization now accepts type-specific manage / manage_own scopes.

Deleting a custom instance

Authorization now accepts type-specific manage / manage_own scopes.

Creating custom instances in bulk

Authorization now accepts type-specific manage / manage_own scopes.

Upserting custom instances in bulk

Authorization now accepts type-specific manage / manage_own scopes.

Deleting custom instances in bulk

Authorization now accepts type-specific manage / manage_own scopes.

Known problems

There are no known problems.

Previous2026-04-21: Customer Service - session context attributes on anonymous login Next2026-04-13: IAM Service - custom scopes and access controls

Last updated 1 month ago

Was this helpful?