Skip to content

Assign application Roles and Scopes

The application roles and scopes (permissions) are used to define the access for securing your application. For more information, see Roles & Scopes for applications.

Management of Roles and Scopes

Scopes: A scope is the smallest entity that describes a single permission.

Scopes describe permissions which are listed in the access token as named parameters. When accessing an endpoint or application within Insights Hub, the Identity and Access Management automatically adds the required scopes to the access token if the respective user has access permission.

Scopes must adhere to the following naming convention: {application_name}.{scope}.

Roles: A role is a collection of multiple scopes (permissions). These roles can be assigned to a user.

It can either be assigned to a user via the Settings application or added to an application role to grant access to APIs. For example, the Core role mdsp:core:iot.timUser can be added to the application role so that this application can read time series data. This assignment makes all the scopes of the Core role available in your application role.

The scopes can be assigned to one or more default application roles. For more information on API specific roles and the available scopes, see Developer Documentation.


  • By default, the application scope with "Admin" role is automatically assigned to a newly created application.
  • Once you create another role and scope, you can delete the default role and scope.
  • Atleast, one role and scope is required to access the application.

User interface of "Roles and scopes Management"

"Scopes and API Roles" screen:

In "App Roles" screen, you can assign the required scopes and roles to the application specific roles, for a selected application.

Scopes and API Roles

Parameters table

Parameter Description
Application Scopes You can add your application scopes under the "Application Scopes" section. By default, an admin role with a scope is created for an application. You can create the scopes, apart from the default scope.
API Roles You can add your application scope to the specific API roles under the "API Roles" section.
Third Party API Roles You can add the dependent third party API role and assign it to the application role under the "Third Party API Roles" section.
Provisioned API Scopes You can add your application for mapping with the provisioned application scopes under the "Provisioned API Scopes" section.

Procedure for assigning roles and scopes

To assign roles and scopes for an application, follow the steps:

  1. In application overview page, click "Configure" after saving the application.
  2. In Authorization Management, select "App Roles" tab.
  3. In the "Applications" window, select your saved application from the list.
  4. In "Scopes & API Roles" tab, click "Create scope" to enter the scope name and enable the check box for Admin or User or both, as per requirement and click "Save".


  • When the mobile type application is created, it is automatically assigned with a default scope: "._access" . This default scope "<appname>._access" is for mobile application only. This scope cannot be modified or deleted by the user. If you add roles to your application, by default the scope is assigned to the created role.
  • Creating at least one scope is mandatory to proceed for the registration of the application.
  • Every application specific scope is automatically prefixed with the application name.
  • Every role can be found in "Settings" in the following scheme: mdsp:<tenantname>:<application>.<role>.
  • Avoid creating scopes which contains the scripting word like, “document.write”. As these scopes will create an issue for IAM transactions.

5.Click "Add API Role" and fill the application role name with description from the drop-down menu displayed in the dialog box and click "Save".
6.Click "Add Third Party API role" and fill the Third party API role name with description from the drop-down menu displayed in the dialog box and click "Save".
7.Click "Add Service Scope Mapping" and select an application scope to map the provisioned app scopes to your application and click "Add Mapping".


The application successfully added with roles and scopes.

Roles and Scopes


Only standard applications with third-party API roles assigned can access API applications.

Next step

You can access advanced token exchange to provision the APIs. For more information, see Accessing Industrial IoT /Token APIs.

Last update: January 22, 2024