OAuth Scopes
Overview
OAuth scopes allow you to specify the level of access your application needs to a user’s account. When initiating an authorization request, users will be prompted to consent to the requested scopes. By restricting your application’s scopes, you provide transparency to the user and protect their account from misuse.
Scopes are also available for use in the Roles API to provide granular control over what users can do in Qlik Cloud.
Scopes can only limit access for OAuth tokens; they cannot be used to grant any additional access to the user than they have assigned via their roles.
How it works
As an integration developer, you specify your desired scopes in the initial OAuth authorization request.
GET /oauth/authorize?scope=automations apps:read spaces:read identity.name:readThe requested scopes are presented to users for their approval. Any previously approved scopes are not presented again to the user but are still available for the application to use, but applications should always examine what scopes are available on tokens because users can remove previously approved scopes between authorizations.
The authorization server will attempt to grant all the scopes in the client’s allow list even when the scope param is empty, but only scopes in the allow list that are approved by the user will be granted. To request scopes for approval from the user, they must be explicitly included on the authorization request using the scope query param. The offline_access scope is an exception, it won’t be granted implicitly, and it must be requested to get a refresh token.
Available scopes
The user_default and admin_classic scopes should be used only where less broad
scopes are not available. Always enforce least privilege principles as good practice.
| Scope | Description |
|---|---|
user_default | Full access to your account and content (dynamic - provides user scopes required for normal tenant use) |
admin_classic | Full administrator access to your tenant (dynamic - provides standard interactive administration scopes, but excludes admin.apps) |
admin.apps | Read and manage all apps in the tenant, with full access to all private content in the app |
admin.apps:export | Export all apps in the tenant |
admin.apps:read | Read all apps in the tenant |
admin.assistants | Read and manage all assistants |
admin.assistants | Read and manage all assistants |
admin.automations | Read and manage all automations in the tenant |
admin.automations:read | Read all automations in the tenant |
admin.knowledgebases | Read and manage all knowledge bases |
admin.spaces | Read and manage all spaces in the tenant |
admin.spaces:read | Read all spaces in the tenant |
admin.users | Read and manage all users |
admin.users:read | Full read access to all users |
apps | Read and manage your apps |
apps.data:export | Download all app content or images and PDFs only, blocking data downloads |
apps.image:export | Download app content as images and PDFs only |
apps:export | Export your apps |
apps:read | Read your apps |
assistants | Read and manage assistants |
assistants | Read and manage assistants |
assistants:read | Basic query access to assistants |
assistants:read | Basic query access to assistants |
automations | Read and manage your automations |
automations:read | Read your automations |
automl-deployments | Read and manage your ML deployments |
automl-experiments | Read and manage your ML experiments |
identity.email:read | Read your email address |
identity.name:read | Read your full name |
identity.picture:read | Read your profile picture |
identity.subject:read | Read your user subject identifier |
knowledgebases | Read and manage knowledge bases |
knowledgebases:index | Index content in knowledge bases |
knowledgebases:read | Read access to knowledge bases |
knowledgebases:search | Search content in knowledge bases |
offline_access | Access resources while you are offline |
spaces.data | Read and manage your data spaces |
spaces.data:read | Read your data spaces |
spaces.managed | Read and manage your managed spaces |
spaces.managed:read | Read your managed spaces |
spaces.shared | Read and manage your shared spaces |
spaces.shared:read | Read your shared spaces |
users | Basic read access to users and management of your user preferences |
users:read | Basic read access to users |