Skip to content
CrowdStrike Developer Center

About Authorization

Foundry apps operate within CrowdStrike’s authorization framework. Two systems control what an app can do: Role-Based Access Control (RBAC), which controls who can use app capabilities, and API Scopes, which control what Falcon APIs the app can access.

How authorization works

Section titled “How authorization works”

When a Foundry app runs, it inherits the permissions of the user or system context executing it:

  • UI extensions and pages run in the context of the logged-in user. The user must have the appropriate Falcon roles to access the app’s features.
  • Functions called from workflows run in the app’s service context with the scopes configured in the app manifest.
  • Scheduled workflows run with the scopes granted to the app at installation time.

RBAC

Section titled “RBAC”

Falcon RBAC determines which users can:

  • Install and manage Foundry apps
  • Access app UI extensions and pages
  • Execute app workflows
  • Read and write app collections

See Role-Based Access Control for details on roles and permissions.

API Scopes

Section titled “API Scopes”

API scopes determine which CrowdStrike APIs your app’s functions and workflows can call. Scopes are configured in the app manifest and granted at installation time.

See API Scopes for details on configuring scopes.

© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use