Scope sp:scopes:all required for just for updating/putting Schema

ptidwell · May 27, 2025, 3:26pm

Which IIQ version are you inquiring about?

Unsure

Please share any images or screenshots, if relevant.

Please share any other relevant files that may be required (for example, logs).

Share all details about your problem, including any error messages you may have received.

I am following the principal of least privilege to configure a PAT to give our deploy tool the ability to update our Web Service connector implementation during a routine deployment. I have been going API by API granting it just the scope so it can use the specific API.

All was going well until I got the schemas API. The documentation states sp:scopes:all is required. Is this correct? That gives access to all APIs and is the highest privileged scope. Is there not something more specific for schema?

fewthiraphat · June 10, 2025, 9:22am

Hi @ptidwell , Not sure are you meaning the Sailpoint ISC?

Because the reference document is the ISC, but you ask it on IIQ Discussion and Questions

pattabhi · July 8, 2025, 1:35pm

Hi @ptidwell

Currently, the documentation and API behavior generally indicate that for modifying or creating schemas, sp:scopes:all is the required scope.

As per document: If no scope is listed for the endpoint, select sp:scopes:all .

Please check below document for more details around Authorization:

Authorization | SailPoint Developer Community