Skip to content

Defining the permissions scheme

Now that you added your application to the service, you will see it in the applications portal home page, under the "My Applications" section, along with the other applications you own or manage.

applications list

Click on the edit button next to the entry for your application in the list, and you will access a page that will allow you to modify your application information, define roles for your application and register it for Single Sign On.

edit app

Application permission schemes

To configure the permissions scheme for your application, there are several options.
Check the links in the individual descriptions for full information.

The recommended way is to define roles for your application and use role based permission.
This is the option requiring the least privileges for your application, as the SSO will provide some well defined permission information in the users' token without including all the users' groups memberships, which could have privacy and practical implications (problem with user token size when a user is member of too many groups).

If your application explicitly needs information about all the groups the logged-in user is member of, you can use a groups based permission scheme instead.
Since this has technical and privacy implications, it is necessary to open a request via Service Now to enable the behavior.

Some applications might require special privileges to process custom authorization implementations, with even higher privacy implications.
Permissions are assigned to applications through groups, as it happens for users.
You can see which groups your application is a member of in the "Groups Membership" tab of the Applications Portal.

The following table describes special permissions in the Authorization Service API that can be granted to applications.

Desired Query Required Group Membership
Read Groups authorization-service-groups-readers
Create groups and manage groups that you own authorization-service-groups-users
Read Applications authorization-service-applications-readers
Create and Modify Applications owned by other identities authorization-service-applications-managers
Read Identities authorization-service-identity-readers

If your application requires one of the permissions above, create a Service Now request using the following form: Special application permissions request.

The requests are reviewed and approved by the Authorizations Service supporters.