Protecting scopes with access policies

Learn how to configure a policy and use it for restricting access.


If you have not installed ACP yet, check Installing ACP instructions and get it done.

Create a policy

  1. Log in to the ACP administrator portal with your username and password.

  2. In the Workspace Directory, select the workspace that you want to enter.

  3. In the selected workspace landing page, select Policies from the sidebar.

  4. In the Policies view, select CREATE POLICY.

  5. In the Create Policy popup window

    1. Select Policy type from the dropdown menu.

      Policy types

      There are a few policy types available in ACP: API request, User, Machine to machine, Developer, Dynamic Client Registration.

    2. Specify Policy name and Display name.

    3. Select Cloudentity as Policy language.

      Policy language

      Another type of policies that you can create in ACP is OPA. For instruction on how to create OPA policies, see Protecting applications and APIs in ACP using OPA.

    4. Select Create.


The ACP policy builder opens.

Add a validator

  1. In the policy builder, select the + sign to add a validator.

  2. In the Add new validator fly-out view, enter a validator name of your preference into the search field and follow up to the validator setup.

  3. In the validator view, set up the validator by adding and configuring its fields:

    1. Select the source data context and specify the source value.
    2. Select the operator to define the relationship between the source and the target.
    3. Select the target data context and specify target value.
    4. Select Save to proceed.

  4. When all the fields for the validators are ready

    1. Select the OK icon to finalize your validator.

    2. Select Save to finalize your new policy.


    Your newly-created policy is available in the Policies view.

Configure scopes

  1. In the selected workspace landing page, select Services from the sidebar.

  2. Select a service (for example, Profile) from the Services view.

  3. In the service view, select the Scopes tab.

  4. In the Scopes view, select one of the available scopes, for example, Email.

  5. In the Edit Scope pop-up window

    1. Go to the Scope Governance section and set up Client Assignment and Consent Grant by selecting relevant policies from the drop-down lists.

    2. Select Save to proceed.


You have configured the Email scope with your new policy.

Test policies

  1. Log in to a sample application.

  2. In the login page, enter user as your username and user as your password.

  3. In the consent page displayed, verify the scope you restricted with your new policy.


    The scope is not available.