Role scopes
Role scopes allow you to specify the level of access granted to any users or groups via tenant roles.
By default, every user in a tenant inherits the scopes assigned to the userDefault
role. Users assigned the TenantAdmin role can make changes to userDefault to
amend this default configuration, as well as create and manage their own role
definitions, which can provide fine-grained access to specific users or groups.
Note: Where OAuth2 is used for authorization, a user’s access via that OAuth2 client can be further configured with OAuth2 scopes.
Role scopes
Not all scopes are available for use in userDefault. Some scopes will only be
available with certain subscription entitlements. To retrieve your entitlements, you
can call the License overview endpoint.
| Scope Name | Scope Description | Can be assigned to custom roles | Can be assigned to userDefault | Required entitlement |
|---|---|---|---|---|
automations.shared | Read and manage your automations in shared spaces | ✔ | ✖️ | - |
apps.data:export | Download all app content or images and PDFs only, blocking data downloads. | ✔ | ✔ | - |
apps.image:export | Download app content as images and PDFs only | ✔ | ✔ | - |
insight-advisor.limited | Generate advanced analysis types with visualizations and natural language insights in a few clicks. | ✔ | ✔ | - |
insight-advisor.genai | Generate advanced analysis types with visualizations and natural language insights in a few clicks. | ✔ | ✔ | - |
insight-advisor-chat.limited | Use natural language to ask questions and search apps. | ✔ | ✔ | - |
insight-advisor-chat.genai | Use natural language to ask questions and search apps. | ✔ | ✔ | - |
knowledgebases:read | Read access to knowledge bases | ✔ | ✔ | totalPagesIndexed |
knowledgebases:index | Index content in knowledge bases | ✔ | ✔ | totalPagesIndexed |
knowledgebases:search | Search content in knowledge bases | ✔ | ✔ | totalPagesIndexed |
knowledgebases | Read and manage knowledge bases | ✔ | ✔ | totalPagesIndexed |
assistants:read | Basic query access to assistants | ✔ | ✔ | numQuestionsPerMonth |
assistants | Read and manage assistants | ✔ | ✔ | numQuestionsPerMonth |
admin.automl-models:approve | Approve or reject all AutoML models in the tenant | ✔ | ✖️ | - |
automl-models:approve | Approve or reject AutoML models in spaces to which you have edit access | ✔ | ✔ | - |
shareable-links.public | Create and manage public content links | ✔ | ✔ | anonymousCapacity |
dataproduct | Create and manage data products | ✔ | ✖️ | dataProduct |
dataproduct:consume | Read and list data products | ✔ | ✔ | dataProduct |
dataquality | Compute and refresh data qualities | ✔ | ✔ | dataQuality |
semantictype | Create and manage semantic types | ✔ | ✔ | dataQuality |
semantictype.consume | Read and list semantic types | ✔ | ✔ | dataQuality |
admin.semantictype | Read, list and delete semantic types | ✔ | ✖️ | dataQuality |