Skip to main content
Gathering Interest

Access Management: Allow wildcards in capability scopes

Related products:Authentication and Access Management
  • April 21, 2026
  • 1 reply
  • 14 views
R
Active ⭐️⭐️⭐️
  • Ryan
  • Active ⭐️⭐️⭐️

Current access management relies on explicitly defined scopes (spaces, data sets, and tables) that require a full textual match.  As a result, any time a new scope is added, corresponding access lists must be manually updated. 

Supporting wildcards or pattern-based matching when defining access scopes would make this management easier. This would allow access rules to be defined once using predictable naming conventions, rather than requiring explicit enumeration of every individual scope.

For example, if users in GroupA require access to all data originating from the Alpha source system, access rules could be defined using a pattern such as:

alpha:*

Instead of listing each scope individually (e.g. alpha:files:engineering_diagrams, alpha:files:manualsalpha:time_series:operations).  With this approach, when a new scope like alpha:3d:vessels is introduced, no updates to access lists would be required.

 

1 reply

Sunil Krishnamoorthy
Expert ⭐️⭐️⭐️⭐️
Forum|alt.badge.img

Hi ​@Ryan 

Thank you for the detailed and well articulated explanation.

The current access model in CDF is purpose based by design. We intentionally require administrators to define explicit and provide exact match scopes so that access is granted deliberately, with no ambiguity or accidental expansion. This precision is fundamental to ensuring there are no accidental permission expansions or unexpected access side effects, which is particularly important in security and compliance sensitive environments. That said, we agree with the core pain you’re highlighting, managing access purely through enumerated scopes does not scale well.

 

Rather than introducing wildcard or pattern based scope matching, we are currently focused on Attribute Based Access Control (ABAC). ABAC enables access decisions based on others properties beyond spaces. Our assessment is that this provides a more robust, expressive, and safer solution to the problem you’re describing,  without the risks that broad pattern matching can introduce.

 

This work is actively underway and is a key part of our longer term access management strategy. We will share more details on this as we progress. 

Terms & ConditionsAccessibility statement