Skip to content

Authorizing the application Roles and Scopes

Scopes: A scope is the smallest entity that describes a single permission.

Scopes describe permissions which are listed in the access token as named parameters. When accessing an endpoint or application within MindSphere, the MindSphere Identity and Access Management automatically adds the required scopes to the access token if the respective user has access permission. Scopes must adhere to the following naming convention: {application_name}.{scope}.

It can either be assigned to a user via the Settings application or added to an application role to configure access to MindSphere APIs. For example, the "Core" role mdsp:core:<role.name>, you can add to the application role so that this application can read time series data. This assignment makes all the scopes of the core role available in your application role.

Roles: A role is a collection of multiple scopes (permissions). These roles can be assigned to a user.

The scopes can be assigned to one or more default application roles. For more information on API specific roles and the available scopes, see Developer Documentation.

Note

  • By default, the application scope with "Admin" role is automatically added to a newly created application.
  • Once you create another role and scope, you can delete the default role and scope.
  • At least, one role and scope is required to access the application.
  • Adding new roles and scopes will not be added to the application which is provisioned to test environments.

User interface

You can authorizing the required scopes and roles to the application.

authorization-information-ui

Parameter Description
Application Scopes You can add your application scopes under the "Application Scopes" section. By default, an admin role with a scope is created for an application. You can create the scopes, apart from the default scope.
Third Party App Roles You can add the dependent third party API role and assign it to the application role under the "Third Party API Roles" section.
MindSphere API Roles You can add your application scope to the MindSphere specific API roles under the "MindSphere API Roles" section.
Add a Role You can add a new customized role for the application and add scope(s) for the newly added role.

Procedure

To add the application specific roles and scopes, follow these steps:

  1. In "Authorization Information", click "Add a Roles".

    new-application-role

  2. Enter the application specific role "Name" and "Description" and then click "Save".

  3. In "Authorization Configuration" section, click "Add new application scope" to add the scope for the application specific role and click "Save".

    application-scopes

  4. In "Authorization Configuration" section, click "Add MindSphere API role" to configure the scope for the MindSphere specific API role and click "Configure".

    configure-additional-roles

  5. After adding the roles and scopes to the application and click "Save".

Result

The application is successfully added with application specific roles and scopes.

configured-additional-roles-and-scopes

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.


Last update: September 2, 2022