To make sure that unauthorized users cannot access the resources, you can restrict access by using OAuth 2.0 scopes. An OAuth 2.0 scope represents a list of resources that can be accessed by remote applications. Developers of the OAuth 2.0 enabled services predefine scopes. They are delivered together with a framework that can provide OAuth 2.0 enabled services (for example, SAP NetWeaver Gateway.
In the customer system, administrators assign scopes to the following:
OAuth 2.0 clients. These clients represent OAuth 2.0 enabled applications that access the services on behalf of the resource owner.
Users of the relevant business scenario. These users are the resource owners. Depending on grant type used, the resource owners can further restrict the number of scopes for certain clients during the access token request. They can decide which applications are allowed to access which business resource.
You cannot create or edit OAuth 2.0 scopes directly in the AS ABAP. For example, SAP NetWeaver Gateway can provide services that are OAuth 2.0 enabled. Each Gateway service is assigned to a separate scope. Whenever a Gateway service is activated, a new OAuth 2.0 scope is created. You can use the scope to protect the service.