Scope Access Control

Kii Cloud has the four types of scopes: the application scope, group scope, user scope, and thing scope. This topic explains the access permissions of the scopes. See Scopes and Access Privileges in the Getting Started for the purposes of each scope.

The scope permissions only control privileges to create buckets or topics in a scope. In contrast to the scope permissions, those of buckets, KiiObjects, and topics mainly control privileges to manipulate a target itself.

The table below indicates the default ACL entries for the scopes. You can customize the scope ACLs with the REST APIs.

Default permissions

The scopes have the following permissions by default. The rightmost "Modify ACL" column indicates the users who can update the ACL. Note that you cannot change the users who can modify the ACL.

Scope Create buckets
(CREATE_NEW_BUCKET)
Create topics
(CREATE_NEW_TOPIC)
Modify ACL
Application - Any authenticated users - App administrator - App administrator
Group - Group members
- Group owner
- Group members
- Group owner
- Group owner
User - Scope owner - Scope owner - Scope owner
Thing - Thing
- Thing owner
- Thing
- Thing owner
- Thing
- Thing owner

Here is a brief summary of scope permissions:

  • In the application scope, any authenticated users can create buckets. Only the app administrator can create topics.
  • In the group scope, the members of the group can create buckets and topics.
  • In the user scope, only the scope owner can create buckets and topics.
  • In the thing scope, only the thing and its owner can create buckets and topics.

Additionally, note the following consideration:

  • For the definitions of authenticated and anonymous users, see Subject.