2026-05-13: IAM Service - access control restrictions, predefined scopes, and deprecations
Overview
The IAM Service has been extended in three main areas, and the legacy roles/permissions/resources object model is being phased out.
Access control assignment restrictions
Access controls now expose a restrictedTo property that limits the type of group an access control can be assigned to:
CUSTOMER- the access control can be assigned only to groups ofCUSTOMERuser type.EMPLOYEE- the access control can be assigned only to groups ofEMPLOYEEuser type.
If restrictedTo is not present on an access control, it can be assigned to any group regardless of its user type.
Multiple domains per access control
The domain property on access controls has been replaced with domains - a list of domain identifiers.
Predefined scopes
The endpoints for listing and retrieving scopes now also return predefined scopes and scopes responses now include a read-only predefined flag indicating whether a scope is system-defined or user-created. Moreover, predefined scopes can now be referenced when creating or updating access controls.
Deprecation of the roles, permissions, and resources model
The legacy roles, permissions, and resources object model is being phased out. The endpoints that retrieve these objects, as well as the roleId and resourceId properties on access controls and the expand, roleId, and resourceId query parameters that resolved them, are now deprecated. The endpoints for retrieving user access controls and user permissions for a specific resource - which are also tied to the legacy model - are deprecated as well.
The deprecated endpoints, properties, and query parameters listed above are no longer maintained and will be removed on October 1, 2026. Make sure to migrate any integrations that still rely on them before that date.
Updated endpoints
Property restrictedTo introduced. Property domain replaced with domains. Response properties roleId and resourceId are now deprecated. Query parameters expand, roleId, and resourceId are now deprecated.
Property restrictedTo introduced. Property domain replaced with domains. Response properties roleId and resourceId are now deprecated. Query parameter expand is now deprecated.
Property restrictedTo introduced. Property domain replaced with domains. Predefined scopes can now be used when creating or updating access controls.
Property restrictedTo introduced. Property domain replaced with domains. Response properties roleId and resourceId are now deprecated. Query parameter expand is now deprecated.
Property restrictedTo introduced. Property domain replaced with domains. Response properties roleId and resourceId are now deprecated. Query parameter expand is now deprecated.
Property restrictedTo introduced. Property domain replaced with domains. Response properties roleId and resourceId are now deprecated. Query parameter expand is now deprecated.
Response now includes the read-only predefined flag. The endpoint now also returns predefined access control scopes in addition to user-created custom scopes.
Response now includes the read-only predefined flag. The endpoint now also returns predefined access control scopes in addition to user-created custom scopes.
Deprecated endpoints
Endpoint deprecated.
Endpoint deprecated.
Endpoint deprecated.
Endpoint deprecated.
Endpoint deprecated.
Endpoint deprecated.
Endpoint deprecated.
Endpoint deprecated.
Known problems
There are no known problems.
Last updated
Was this helpful?