List of Scopes and Security Permissions for APIs
All Cornerstone APIs require a scope to be assigned to the OAuth 2.0 application and token. Most APIs also require a specific security permission to be assigned to the user account tied to the OAuth 2.0 application. The table below lists the scopes and permissions each API needs. The last column indicates whether the API respects any constraints placed on the security permission.
Note that scopes are grouped by logical operations you can perform in Cornerstone. Due to this, a single scope can grant your application access to more than one API endpoint.
Core
| Product | API | Endpoints | HTTP Method | OAuth 2.0 Scope | Security Permission | Constraints Supported? |
|---|---|---|---|---|---|---|
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/employment-status/effective-date/{asOfDate} | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/employment-status | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/effective-date/{asOfDate} | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/effective-date/status | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id} | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/termination-reasons | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/employment-status | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/leave-reasons | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/custom-fields | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/employment-categories | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/custom-relations | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/activation-period | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/reasons-for-change | GET | employee:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/groups | GET | group:read | Employee API - View or Employee API - View - Constrained | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees | POST | employee:create | Employee API - Edit | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/effective-date/{asOfDate} | PATCH | employee:updatepartial | Employee API - Edit | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id} | PATCH | employee:updatepartial | Employee API - Edit | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/employment-status | PATCH | employee:updatepartial | Employee API - Edit | Yes |
| Employee | Employee API v2 | /services/api/x/users/v2/employees/{id}/employment-status/effective-date/{asOfDate} | PATCH | employee:updatepartial | Employee API - Edit | Yes |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/employmentstatus/effectivedate/{asOfDate} | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/employmentstatus | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/employmentstatus | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/customfields | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/effectivedate/{asOfDate} | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/effectivedate/status | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/activationperiod | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id} | GET | employee:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/groups | GET | group:read | Employee API - View | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/employmentstatus/effectivedate/{asOfDate} | PUT | employee:updatefull | Employee API - Edit | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/employmentstatus | PUT | employee:updatefull | Employee API - Edit | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/activationperiod | PUT | employee:updatefull | Employee API - Edit | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees | POST | employee:create | Employee API - Edit | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id}/effectivedate/{asOfDate} | PATCH | employee:updatepartial | Employee API - Edit | No |
| Employee | Employee API v1 | /services/api/x/users/v1/employees/{id} | PATCH | employee:updatepartial | Employee API - Edit | No |
| OU | OU API v1 | /services/api/x/organizations/v1/types | GET | outype:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/types/{type id} | GET | outype:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/ous | GET | ou:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/ous/{ou id} | GET | ou:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/ous/{ou id}/localizations | GET | ou:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/ous | POST | ou:write | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/ous | POST | ou:write | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/ous/{ou id} | PUT | ou:updatefull | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/ous/{ou id}/localizations | PUT | ou:updatefull | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/specifications | PATCH | ouspecification:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/specifications | PATCH | ouspecification:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/types | GET | outype:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | OU API v1 | /services/api/x/organizations/v1/types/{type id} | GET | outype:read | OU Hierarchy - Manage, View Grades | Yes |
| OU | Global Search API | /services/api/Core/GlobalSearch | GET | globalsearch:read | n/a | No |
| Approvals | Approvals API | /services/api/Employee/{userName}/approvals | GET | approval:read | Request Items - View | No |
| Approvals | Approvals API | /services/api/Employee/{userName}/approvals | POST | approval:create | Request Items - View | No |
Learning
| Product | API | Endpoints | HTTP Method | OAuth 2.0 Scope | Security Permission | Constraints Supported? |
|---|---|---|---|---|---|---|
| LO | Training (LO) API | /services/api/LO/GetDetails | GET | training:read | n/a | No |
| LO | Training (LO) API | /services/api/LO/Create | POST | training:create | Events - Create, Sessions - Create, | No |
| LO | Training (LO) API | /services/api/LO/Create | POST | training:create | Course Catalog - Update, | No |
| LO | Training (LO) API | /services/api/LO/Create | POST | training:create | LCMS Course Administrator, | No |
| LO | Training (LO) API | /services/api/LO/Create | POST | training:create | Materials Management | No |
| LO | Training (LO) API | /services/api/LO/Update | POST | training:updatefull | Session - Edit | No |
| LO | Training Custom Field API | /services/api/CustomField/ | POST | training:create | Training Custom Fields | No |
| Express Class | Express Class API | /services/x/lms-express-class/v1/ExpressClass | POST | expressclass:create | Express Class – Manage | Yes |
| Learning Assignment | Learning Assignment API | /services/x/lms-learning-assignment/v1/learning-assignment/standard | POST | learningassignment:create | Assignment Tool - Standard, | Yes |
| Learning Assignment | Learning Assignment API | /services/x/lms-learning-assignment/v1/learning-assignment/standard | POST | learningassignment:create | Assignment Tool - Email Settings - View | Yes |
| Learning Assignment | Learning Assignment API | /services/x/lms-learning-assignment/v1/learning-assignment/{id} | GET | learningassignment:read | Assignment Tool - Standard | Yes |
| Learning Assignment | Learning Assignment API | /services/x/lms-learning-assignment/v1/learning-assignment/search | GET | learningassignment:read | Assignment Tool - Standard | Yes |
| Session | Session Roster API | /services/api/SessionRoster/ | POST | sessionroster:create | Roster - Manage | No |
| Session | Session Roster API | /services/api/SessionRoster/GetSessionRoster | GET | sessionroster:read | Roster - View | No |
| Catalog Search | Catalog Search API | /services/api/Catalog/GlobalSearch | GET | training:read | Course Catalog - View | No |
| Transcript and Task | Transcript Search API | /services/api/LOTranscript/TranscriptSearch | GET | transcript:read | Users - View, View Transcript Item | No |
| Transcript and Task | Transcript and Task API | /services/api/TranscriptAndTask/Inbox | GET | inbox:read | n/a | No |
| Transcript and Task | Transcript and Task API | /services/api/TranscriptAndTask/Assigned | GET | transcript:read | n/a | No |
| Transcript and Task | Transcript and Task API | /services/api/TranscriptAndTask/Session | GET | transcript:read | n/a | No |
| Transcript and Task | Transcript and Task API | /services/api/TranscriptAndTask/Transcript | GET | transcript:read | n/a | No |
| Transcript and Task | Transcript and Task API | /services/api/TranscriptAndTask/SuggestedTraining | GET | transcript:read | n/a | No |
| Transcript and Task | Transcript and Task API | /services/api/TranscriptAndTask/Approval | GET | approval:read | n/a | No |
| Transcript and Task | Transcript and Task API | /services/api/TranscriptAndTask/Task | GET | task:read | n/a | No |
| Certification | Certification API | /services/api/Certification/Remove | POST | certification:delete | Certification - Manage | No |
| Certification | Certification API | /services/api/CertificationDetails/GetCertificationDetails | GET | certification:read | Certification - Manage | No |
| Certification | Certification API | /services/api/CertificationTranscript/CertificationTranscriptDetails | GET | certification:read | View Transcript Item - View | No |
| Training Unit | Training Unit API | /services/api/TrainingUnit | POST | trainingunit:create | Training Unit Assignment - View | No |
Transcript
| Product | API | Endpoints | HTTP Method | OAuth 2.0 Scope | Additional Claim | Security Permission | Constraints Supported? |
|---|---|---|---|---|---|---|---|
| Transcript | Overview API | /services/api/v1/transcripts/overview | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Details API | /services/api/v1/transcripts/details | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Enhanced Details API | /services/api/v1/transcripts/enhanced-details | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Curricula Child API | /services/api/v1/transcripts/curriculum-child-lo-data | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Custom Fields API | /services/api/v1/transcripts/custom-fields | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Form Fields API | /services/api/v1/transcripts/request-form-fields | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Exempt Info API | /services/api/v1/transcripts/exempt-info | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Removal Info API | /services/api/v1/transcripts/removal-info | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Session Info API | /services/api/v1/transcripts/session-info | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Version Info API | /services/api/v1/transcripts/version-info | GET | transcript:read | n/a | View Transcript Item | Yes |
| Transcript | Request API | /services/api/v1/transcripts/request | POST | transcript:create | transcript:create:request | Transcript API - Request | Yes |
| Transcript | Assign API | /services/api/v1/transcripts/assign | POST | transcript:create | transcript:create:assign | Assignment Tool - Standard | Yes |
| Transcript | Remove API | /services/api/v1/transcripts/remove | PATCH | transcript:update | transcript:update:remove | Remove Training | Yes |
| Transcript | Register API | /services/api/v1/transcripts/register | PATCH | transcript:update | transcript:update:register | Edit Transcript Items | Yes |
| Transcript | Progress API | /services/api/v1/transcripts/progress | PATCH | transcript:update | transcript:update:progress | Edit Transcript Items | Yes |
| Transcript | Complete API | /services/api/v1/transcripts/complete | PATCH | transcript:update | transcript:update:complete | Mark Training Complete | Yes |
| Transcript | Update API | /services/api/v1/transcripts/update | PATCH | transcript:update | transcript:update:updatepartial | Edit Transcript Items | Yes |
| Transcript | Approve API | /services/api/v1/transcripts/approve | PATCH | transcript:update | transcript:update:approve | Edit Transcript Items | Yes |
| Transcript | Archive API | /services/api/v1/transcripts/archive | PATCH | transcript:update | transcript:update:archive | Move training to Archived Transcript | Yes |
| Transcript | Withdraw API | /services/api/v1/transcripts/withdraw | PATCH | transcript:update | transcript:update:withdraw | Withdraw Users from Sessions | Yes |
| Transcript | Exempt API | /services/api/v1/transcripts/exempt | PATCH | transcript:update | transcript:update:exempt | Mark Transcript Exempt | Yes |
Performance
| Product | API | Endpoints | HTTP Method | OAuth 2.0 Scope | Security Permission | Constraints Supported? |
|---|---|---|---|---|---|---|
| Performance Review Task | Performance Review API | /services/api/Review/PerformanceReview | GET | performancereview:read | n/a | No |
| Goals | Goal API | /services/api/Goals/Create | POST | goal:create | Goals - Create | No |
| Goals | Goal API | /services/api/Goals/Update | PUT | goal:updatefull | Goals - Create | No |
| Goals | Goal API | /services/api/Goals/UpdateProgress | PUT | goalprogress:updatefull | Goals - Create | No |
| Goals | Goal API | /services/api/Goals/GetDetails | GET | goal:read | Goals - Create | No |
Recruiting
| Product | API | Endpoints | HTTP Method | OAuth 2.0 Scope | Security Permission | Constraints Supported? |
|---|---|---|---|---|---|---|
| Job Requisition | Job Requisition API | /services/api/Recruiting/JobRequisitionDetails | GET | jobrequisition:read | n/a | No |
| Job Requisition | Job Requisition API | /services/api/Recruiting/JobRequisitionDetails/Ad | GET | jobrequisition:read | n/a | No |
| Job Requisition | Job Requisition API | /services/api/Recruiting/JobRequisitionDetails/CustomField | GET | jobrequisition:read | n/a | No |
| Job Requisition | Application Workflow | /services/api/x/rec-job-requisition/v1/requisition/{externalId}/application-workflow | GET | applicationworkflow:read | n/a | No |
| Applicant | Job Applicant API | /services/api/Recruiting/JobApplicant | GET | jobapplicant:read | n/a | No |
| Applicant | Job Applicant API | /services/api/Recruiting/JobApplicant/CustomFields | GET | jobapplicant:read | n/a | No |
| Applicant | Job Applicant API | /services/api/Recruiting/JobApplicantUpdateStatus | GET | jobapplicant:update | Applicants - Status Change | No |
| Application | Job Application API | /services/api/x/external-application/v1/job-application/submit | GET | jobapplication:create | External Job Application API - Manage | No |
Reporting
| Product | API | Endpoints | HTTP Method | OAuth 2.0 Scope | Security Permission | Constraints Supported? |
|---|---|---|---|---|---|---|
| Cross Module | Reporting API | /services/api/x/odata/api/views/ | GET | reportingmetadata:view | Reporting API - Read Only | No |
| Cross Module | Reporting API | /services/api/x/odata/api/views/$metadata | GET | reportingmetadata:view | Reporting API - Read Only | No |
| Cross Module | Reporting API | /services/api/x/odata/api/views/vw_rpt_* | GET | Scopes for each Reporting API view follows this pattern: {viewname}:read. For example, to access /services/api/x/odata/api/views/vw_rpt_user, you will need the vw_rpt_user:read scope. | Reporting API - Read Only | No |
| Cross Module | Data Exporter API | /services/api/x/dataexporter/api/objects | GET | obj_metadata:read | Reporting API - Read Only | No |
| Cross Module | Data Exporter API | services/api/x/dataexporter/api/objects/$metadata | GET | obj_metadata:read | Reporting API - Read Only | No |
| Cross Module | Data Exporter API | /services/api/x/dataexporter/api/objects/$cs_diagram | GET | obj_metadata:read | Reporting API - Read Only | No |
| Cross Module | Data Exporter API | services/api/x/dataexporter/api/objects/* | GET | Scopes for each Data Exporter API view follows this pattern: {obj_name}:read. For example, to access /services/api/x/dataexporter/api/objects/users_core, you will need the obj_users_core:read scope. | Reporting API - Read Only | No |
Bulk
| Product | API | Endpoints | HTTP Method | OAuth 2.0 Scope | Security Permission | Constraints Supported? |
|---|---|---|---|---|---|---|
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/specification | GET | bulkapispecification:read | Varies by load type | No |
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/jobs/{job_id} | GET | bulkapijob:read | Varies by load type | No |
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/imports/{import_id}/errors | GET | bulkapiimport:read | Varies by load type | No |
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/imports/{import_id}/report | GET | bulkapiimport:read | Varies by load type | No |
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/imports/{import_id}/warnings | GET | bulkapiimport:read | Varies by load type | No |
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/schemas | POST | bulkapischema:read | Varies by load type | No |
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/jobs | POST | bulkapijob:create | Varies by load type | No |
| Cross Module | Bulk API | /services/api/x/bulk-api/v1/imports/{import_id} | POST | bulkapiimport:load | Varies by load type | No |