# 2026-05-13: IAM Service - access control restrictions, predefined scopes, and deprecations ## Overview The IAM Service has been extended in three main areas, and the legacy roles/permissions/resources object model is being phased out. ### Access control assignment restrictions Access controls now expose a `restrictedTo` property that limits the type of group an access control can be assigned to: * `CUSTOMER` - the access control can be assigned only to groups of `CUSTOMER` user type. * `EMPLOYEE` - the access control can be assigned only to groups of `EMPLOYEE` user type. If `restrictedTo` is not present on an access control, it can be assigned to any group regardless of its user type. ### Multiple domains per access control The `domain` property on access controls has been replaced with `domains` - a list of domain identifiers. ### Predefined scopes The endpoints for listing and retrieving scopes now also return predefined scopes and scopes responses now include a read-only `predefined` flag indicating whether a scope is system-defined or user-created. Moreover, predefined scopes can now be referenced when creating or updating access controls. ### Deprecation of the roles, permissions, and resources model The legacy roles, permissions, and resources object model is being phased out. The endpoints that retrieve these objects, as well as the `roleId` and `resourceId` properties on access controls and the `expand`, `roleId`, and `resourceId` query parameters that resolved them, are now deprecated. The endpoints for retrieving user access controls and user permissions for a specific resource - which are also tied to the legacy model - are deprecated as well. {% hint style="warning" %} The deprecated endpoints, properties, and query parameters listed above are no longer maintained and will be removed on **October 1, 2026**. Make sure to migrate any integrations that still rely on them before that date. {% endhint %} ## Updated endpoints | Endpoint | Description | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Retrieving all access controls](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/access-controls#get-iam-tenant-access-controls) | Property `restrictedTo` introduced. Property `domain` replaced with `domains`. Response properties `roleId` and `resourceId` are now deprecated. Query parameters `expand`, `roleId`, and `resourceId` are now deprecated. | | [Retrieving an access control](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/access-controls#get-iam-tenant-access-controls-accesscontrolid) | Property `restrictedTo` introduced. Property `domain` replaced with `domains`. Response properties `roleId` and `resourceId` are now deprecated. Query parameter `expand` is now deprecated. | | [Upserting an access control](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/access-controls#put-iam-tenant-access-controls-accesscontrolid) | Property `restrictedTo` introduced. Property `domain` replaced with `domains`. Predefined scopes can now be used when creating or updating access controls. | | [Retrieving all access controls assigned to a group](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/groups#get-iam-tenant-groups-groupid-access-controls) | Property `restrictedTo` introduced. Property `domain` replaced with `domains`. Response properties `roleId` and `resourceId` are now deprecated. Query parameter `expand` is now deprecated. | | [Retrieving all access controls assigned to a user](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/users#get-iam-tenant-users-userid-access-controls) | Property `restrictedTo` introduced. Property `domain` replaced with `domains`. Response properties `roleId` and `resourceId` are now deprecated. Query parameter `expand` is now deprecated. | | [Retrieving all access controls assigned to a requested user](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/users#get-iam-tenant-users-me-access-controls) | Property `restrictedTo` introduced. Property `domain` replaced with `domains`. Response properties `roleId` and `resourceId` are now deprecated. Query parameter `expand` is now deprecated. | | [Retrieving all scopes](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/custom-scopes#get-iam-tenant-scopes) | Response now includes the read-only `predefined` flag. The endpoint now also returns predefined access control scopes in addition to user-created custom scopes. | | [Retrieving a scope](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/custom-scopes#get-iam-tenant-scopes-scopeid) | Response now includes the read-only `predefined` flag. The endpoint now also returns predefined access control scopes in addition to user-created custom scopes. | ## Deprecated endpoints | Endpoint | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | [Retrieving all permissions](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/permissions#get-iam-tenant-permissions) | Endpoint deprecated. | | [Retrieving a permission](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/permissions#get-iam-tenant-permissions-permissionid) | Endpoint deprecated. | | [Retrieving all resources](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/resources#get-iam-tenant-resources) | Endpoint deprecated. | | [Retrieving a resource](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/resources#get-iam-tenant-resources-resourceid) | Endpoint deprecated. | | [Retrieving a list of roles](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/roles#get-iam-tenant-roles) | Endpoint deprecated. | | [Retrieving a role](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/roles#get-iam-tenant-roles-roleid) | Endpoint deprecated. | | [Retrieving user access controls for a resource](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/users#get-iam-tenant-users-userid-access-controls-resourceid) | Endpoint deprecated. | | [Retrieving user permissions for a resource](https://developer.emporix.io/api-references/api-guides/users-and-permissions/iam/api-reference/users#get-iam-tenant-users-userid-permissions-resourceid) | Endpoint deprecated. | ## Known problems There are no known problems. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developer.emporix.io/changelog/2026/2026-05-13-iam.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.