Skip to content

OAuth Scopes

Overview

OAuth scopes allow you to specify the level of access your application needs to a user’s account. When initiating an authorization request, users will be prompted to consent to the requested scopes. By restricting your application’s scopes, you provide transparency to the user and protect their account from misuse.

Scopes are also available for use in the Roles API to provide granular control over what users can do in Qlik Cloud.

Note

Scopes can only limit access for OAuth tokens; they cannot be used to grant any additional access to the user than they have assigned via their roles.

How it works

As an integration developer, you specify your desired scopes in the initial OAuth authorization request.

GET /oauth/authorize?scope=automations apps:read spaces:read identity.name:read

The requested scopes are presented to users for their approval. Any previously approved scopes are not presented again to the user but are still available for the application to use, but applications should always examine what scopes are available on tokens because users can remove previously approved scopes between authorizations.

The authorization server will attempt to grant all the scopes in the client’s allow list even when the scope param is empty, but only scopes in the allow list that are approved by the user will be granted. To request scopes for approval from the user, they must be explicitly included on the authorization request using the scope query param. The offline_access scope is an exception, it won’t be granted implicitly, and it must be requested to get a refresh token.

a screenshot of the consent dialog showing the requested scopes

Available scopes

Tip

The user_default and admin_classic scopes should be used only where less broad scopes are not available. Always enforce least privilege principles as good practice.

ScopeDescription
user_defaultFull access to your account and content (dynamic - provides user scopes required for normal tenant use)
admin_classicFull administrator access to your tenant (dynamic - provides standard interactive administration scopes, but excludes admin.apps)
admin.appsRead and manage all apps in the tenant, with full access to all private content in the app
admin.apps:exportExport all apps in the tenant
admin.apps:readRead all apps in the tenant
admin.assistantsRead and manage all assistants
admin.assistantsRead and manage all assistants
admin.automationsRead and manage all automations in the tenant
admin.automations:readRead all automations in the tenant
admin.knowledgebasesRead and manage all knowledge bases
admin.spacesRead and manage all spaces in the tenant
admin.spaces:readRead all spaces in the tenant
admin.usersRead and manage all users
admin.users:readFull read access to all users
appsRead and manage your apps
apps.data:exportDownload all app content or images and PDFs only, blocking data downloads
apps.image:exportDownload app content as images and PDFs only
apps:exportExport your apps
apps:readRead your apps
assistantsRead and manage assistants
assistantsRead and manage assistants
assistants:readBasic query access to assistants
assistants:readBasic query access to assistants
automationsRead and manage your automations
automations:readRead your automations
automl-deploymentsRead and manage your ML deployments
automl-experimentsRead and manage your ML experiments
identity.email:readRead your email address
identity.name:readRead your full name
identity.picture:readRead your profile picture
identity.subject:readRead your user subject identifier
knowledgebasesRead and manage knowledge bases
knowledgebases:indexIndex content in knowledge bases
knowledgebases:readRead access to knowledge bases
knowledgebases:searchSearch content in knowledge bases
offline_accessAccess resources while you are offline
spaces.dataRead and manage your data spaces
spaces.data:readRead your data spaces
spaces.managedRead and manage your managed spaces
spaces.managed:readRead your managed spaces
spaces.sharedRead and manage your shared spaces
spaces.shared:readRead your shared spaces
usersBasic read access to users and management of your user preferences
users:readBasic read access to users
Was this page helpful?