SailPoint has introduced the ability to assign scopes to personal access tokens. Scopes are granular permissions you can add to personal access tokens (PATs) to create a token that has the least level of privilege needed to fulfill its function. You can check out the documentation here.
Scopes can be managed via the UI or the API. More documentation on how to manage scopes via the UI are coming soon.
Will we be able to update the scope of existing PATs? Or will a new PAT with the correct scope need to be created?
@ethompson Scopes can now be updated using this endpoint: patch-personal-access-token | SailPoint Developer Community
What is the default access for a new PAT? full access? or No access?
By default, each PAT has the scope, sp:scopes:all , which grants access to all the rights appropriate for the user level. For example, if your user is an Admin, then the default is full permission to the API. If your user is a Cert Admin, then the default is access to just the endpoints needed by Cert Admins according to the user level matrix.
Hi Colin,
This is great. Is there a definition table available to understand what each scope provisions? Also, when will this be moved into production?
Thanks much,
Renée Arroyo, 
Automation Officer | Information Security
Frost – Banking, Investments, Insurance
3838 Rogers Rd., San Antonio, Texas 78251
Office: (210) 220-6931 | Cell: (210) 305-0418 | Fax: (210) 951-7182
@RArroyo There isn’t a table of scope access available. Please see this section for information on how to find the scope required for each endpoint. Please be aware that many of our endpoints don’t yet have scopes and are in the process of adding them, so you may see several endpoints without a defined scope.
YES! we are now rolling out the ability to edit the scopes for previously created PATs and API Clients