OAuth Scopes
Overview
OAuth scopes allow you to specify the level of access your application needs to a user’s account. When initiating an authorization request using an interactive OAuth flow, users will be prompted to consent to the requested scopes. By restricting your application’s scopes, you provide transparency to the user and protect their account from misuse.
Scopes are also available for use in the Roles API to provide granular control over what users can do in Qlik Cloud.
Scopes can only limit access for OAuth tokens; they cannot be used to grant any additional access to the user than they have assigned via their roles.
How it works
As an integration developer, you specify your desired scopes in the initial OAuth authorization request.
GET /oauth/authorize?scope=automations apps:read spaces:read identity.name:readThe requested scopes are presented to users for their approval. Any previously approved scopes are not presented again to the user but are still available for the application to use, but applications should always examine what scopes are available on tokens because users can remove previously approved scopes between authorizations.
The authorization server will attempt to grant all the scopes in the client’s allow list even when the scope param is empty, but only scopes in the allow list that are approved by the user will be granted. To request scopes for approval from the user, they must be explicitly included on the authorization request using the scope query param. The offline_access scope is an exception, it won’t be granted implicitly, and it must be requested to get a refresh token.
Scope list
The user_default and admin_classic scopes should be used only where less broad
scopes are not available. Always enforce least privilege principles as good practice.
Scopes are grouped into administrator scopes, which provide broad access to resources that the accessing user may not have named access to in the user interface, and user scopes, which provide access to resources that the user has direct access to.
Examples:
- A user with the
TenantAdminrole assigned, accessing via an OAuth client with theautomationsscope will be able to read and manage only automations they own, or automations in spaces where they have the relevant roles. - A user with the
TenantAdminrole assigned, accessing via an OAuth client with theadmin.automationsscope will be able to read and manage all automations in the tenant, irrespective of ownership or space access of the requesting user.
Administrator scopes
These scopes permit administrator level requests via tokens issued by the OAuth client.
| Scope | Description |
|---|---|
admin_classic | Full administrator access to your tenant (dynamic - provides standard interactive administration scopes, but excludes admin.apps) |
admin.aiplatform | Create a chat conversation with an LLM |
admin.apps | Read and manage all apps in the tenant, with full access to all private content in the app |
admin.apps:export | Export all apps in the tenant |
admin.apps:read | Read all apps in the tenant |
admin.assistants | Read and manage all assistants |
admin.automations | Read and manage all automations in the tenant |
admin.automations:read | Read all automations in the tenant |
admin.knowledgebases | Read and manage all knowledge bases |
admin.spaces | Read and manage all spaces in the tenant |
admin.spaces:read | Read all spaces in the tenant |
admin.users | Read and manage all users |
admin.users:read | Full read access to all users |
admin.webhooks | Manage and access all webhooks |
User scopes
These scopes permit user level requests via tokens issued by the OAuth client.
| Scope | Description |
|---|---|
user_default | Full access to your account and content (dynamic - provides user scopes required for normal tenant use) |
aiplatform.full-access | Create the full suite of LLM resources including chat, conversation, rerank, embeddings, and security features |
aiplatform.semantic-only | Create semantic-based results with LLM including rerank and embeddings |
aiplatform.gen-ai-only | Create a chat conversation with LLM |
apps | Read and manage your apps |
apps.data:export | Download all app content or images and PDFs only, blocking data downloads |
apps.image:export | Download app content as images and PDFs only |
apps:export | Export your apps |
apps:read | Read your apps |
assistants | Read and manage assistants |
assistants:read | Basic query access to assistants |
automations | Read and manage your automations |
automations:read | Read your automations |
automl-deployments | Read and manage your ML deployments |
automl-experiments | Read and manage your ML experiments |
identity.email:read | Read your email address |
identity.name:read | Read your full name |
identity.picture:read | Read your profile picture |
identity.subject:read | Read your user subject identifier |
knowledgebases | Read and manage knowledge bases |
knowledgebases:index | Index content in knowledge bases |
knowledgebases:read | Read access to knowledge bases |
knowledgebases:search | Search content in knowledge bases |
offline_access | Access resources while you are offline |
spaces.data | Read and manage your data spaces |
spaces.data:read | Read your data spaces |
spaces.managed | Read and manage your managed spaces |
spaces.managed:read | Read your managed spaces |
spaces.shared | Read and manage your shared spaces |
spaces.shared:read | Read your shared spaces |
users | Basic read access to users and management of your user preferences |
users:read | Basic read access to users |
webhooks | Read and access your webhooks |