=== Limiting Scope

By default, each new client application has an unlimited `role scope mappings`.  This means that every access token that is created
for that client will contain all the permissions the user has.  If the client gets compromised and the access token
is leaked, then each system that the user has permission to access is now also compromised.  It is highly suggested
that you limit the roles an access token is assigned by using the <<_role_scope_mappings, Scope menu>> for each client.
Or alternatively, you can set role scope mappings at the Client Scope level and assign Client Scopes to your client by using the
<<_client_scopes_linking, Client Scope menu>>.