Token Auth privilege restrictions

In addition to a Token Auth scope, API calls may require additional privilege restrictions. Privileges have no inherited capability.

Depending on the set of API calls your application needs, you pass one or more scopes and restrictions in the same scope parameter. The values match Aperture configuration settings in the API Applications Integration (see About API application integrations.

Client ID is the Application ID

Token Auth privilege restrictions
Privilege restriction	Purpose
[none] or read	The scope has no additional privileges. For example, read-only APIs that search or retrieve details. For read access, you do not need to specify a privilege.
:approve	Special restriction that grants the caller the ability to approve workflow tickets.
:delete	Applies to APIs that are destructive in nature and results in data being permanently removed.
:discover	Special restriction which grants the caller the ability to import data.
:manage	Applies to APIs that make changes apart from Discovery/Import, revocation, and workflow approval APIs.
:revoke	Special restriction which grants the caller the ability to revoke certificates.