Every application that is authorized for an access to division, can read all data, related to this division and all subdivisions as well. After an application requests an access token, information about allowed divisionId is encoded in the access token and scope.
Scope determines which divisions can be accessed by this application. By default all requests are done using division that an application have authorization for. Client application may request data for any subdivision of authorized division.
Scope has format: {divisionId}:* , where {divisionId} - id of division and ':*' is constant string, showing that full access is granted. For example, if an application has an access to division 123 (and all its subdivisions), then scope value will be 123:*
Scope is the only way to find out access to which divisions is allowed, this value is returned by the Trakopolis API server after successful authorization. Some applications need to specify requested scope during authorization:
- Private M2M application do not need to pass scope during authorization. Allowed division is determined based on application properties.
- Web plugins must pass requested scope during authorization. If web plugin doesn't have an access to requested division, the Trakopolis API reject authorization, otherwise authorization will be given for requested scope
- 3rd party external web sites and mobile application do not need to pass scope during authorization. The Trakopolis API server detects scope automatically, based on privileges level of user who authorized an aplication or website.
Applications can either use default division Id or specify custom division Id in requests. Please check Divisions Data Access section for details.