Scope governance
Scope governance is how you control who can grant, request, or consent to a scope, and under what conditions. On SecureAuth Connect, scope governance is expressed as policies attached to each scope. When a client requests a token that includes the scope, or when a user is asked to consent to it, SecureAuth evaluates the attached policies and decides whether the scope can be granted.
Scope governance happens at token issuance, so the decision is carried in the access token itself rather than being re-evaluated at the API. This shifts authorization earlier in the flow and keeps the governance model consistent across every service that accepts the token.
What scope governance covers
Each scope can carry policies targeted to four types of subjects:
| Subject | What the policy governs |
|---|---|
| Human users | Whether the Authorization Code flow can use the scope, and under what conditions, for example require MFA at consent. |
| Machine users | Whether the Client Credentials flow can use the scope, and which clients qualify. |
| Third-party developers | Whether a developer can subscribe an application to the scope, and which metadata checks must pass. |
| Dynamically registered clients | Whether a dynamically registered client can subscribe to the scope, and the conditions it must meet. |
You can attach any combination of these policies to a scope. The set of attached policies is the scope's governance model.
Common governance patterns
Enforce MFA on sensitive consent
Attach a Consent Grant policy that requires MFA when a user is asked to approve a scope that grants access to sensitive data.
Restrict scope assignment to approved clients
Attach a Client Assignment policy that allows only specific clients, or clients with specific metadata, to be granted the scope.
Gate third-party developer access
Attach a Developer policy that requires a developer to meet specific attestation or metadata requirements before they can subscribe an application to the scope.
Gate federated client registration
Attach a DCR policy for ecosystems where external parties register clients programmatically, for example open finance.
Configuring scope governance
Scope governance is configured on each scope in the service view. For the step-by-step on attaching policies to a scope, see Restricting access to services using authorization scopes.