Skip to main content

Control Access

This section explains how to control access to your data in Propel using (1) API Scopes and (2) Access Policies, column- and row-level rules. After reading this guide, you'll be familiar with the main access control concepts, and you'll be well on your way to integrating with Propel.

API Scopes

API Scopes determine the types of operations an Application is authorized to perform in Propel. In order to query data from a Data Pool or Metric, an Application must have the “data_pool:query” or “metric:query” scope. The following screenshot shows how to configure these scopes when creating an Application:

Creating an Application with the DATA_POOL_QUERY and METRIC_QUERY scopes.

If an Application does not have the required API scope for querying a Data Pool or Metric, its queries will be rejected with an error message like the following:

Application APP00000000000000000000000000 is not allowed to query Data Pool DPO00000000000000000000000000, because it lacks the \"data-pool:query\" scope; you must add this scope to your Application and request a new access token to query the Data Pool

Additionally, Applications can have scopes to manage Propel resources, to read Metrics, and to create Applications among others.

Learn more about API Scopes.

Access Policies

Access Policies determine which rows and columns Propel Applications can actually “see” in a Data Pool and, by extension, that Data Pool's Metrics. Rows can be excluded from query results based on filters configured statically in the Policy or dynamically in an Application's access token. Columns can be included or excluded based on an allow-list in the Policy.

The following example shows the Console and JSON representations of an Access Policy for TacoSoft, our demo SaaS application. The Policy limits access to records where the “restaurant_name” equals “Farolito”. The Policy allows access to all columns by including an asterisk.

"id": "POL00000000000000000000000000",
"uniqueName": "Farolito Policy",
"description": "Limit access to Farolito records",
"columns": ["*"],
"rows": [
"column": "restaurant_name",
"operator": "EQUALS",
"value": "Farolito"
"dataPool": {
"id": "DPO11111111111111111111111111"

Data Pool Access Policies are assigned to Applications. These policies determine the level of access that an Application, and by extension, the API credentials, have to a specific Data Pool's data.

Next steps

Now that you have a high-level understanding of API Scopes and Access policies: