Hello All,
If I create an access scope and give it no access and assign it to all users who will not be connecting to the application via https:// or http://, will people using a net.TCP connection still be able to use the fat client without any issues?
Thanks everyone.
-Utah
I believe that Scope is applied regardless of the binding. It goes back to pre-Kinetic days - just ActiveDesktop at the time.
So if I set the scope to no access they would not be able to do anything in the client Epicor application (desktop) even if they don’t use an HTTP or HTTPS binding? We are not using the active homepage at this time.
Yes, that’s my understanding. I think it’s even possible to accidentally cut-off the MANAGER user with Scope!
Access Scope only permits Services, BAQs, or Libraries and doesn’t block access. This is what makes it great for REST service principals.
If the business problem that you’re trying to solve is to prevent access via https then someone clever with IIS could probably think a different way.
If you leave the Scope Blank then its full access. 
AAAAND! Fun fact, if the scope gets deleted, then what it applied to now has full access. As of the last time we checked, there is no check that makes sure you can’t delete an access scope that is applied somewhere.
When using the REST API, we created an access scope which contains the BAQs we want accessible. We also created a specific user ID which is used for the outside process using it. Would it make sense to set the access scope on that user ID to match? Since that user ID will ONLY be used for that? I don’t want to accidentally mess things up by trying it out without asking others if they have done something like that before 