**As** an administrator
**I want to** Begin of the insertionset upEnd of the insertion Begin of the deletion setupEnd of the deletion system-level tokens
**so that** can use them as authentication in my SCIM client to Begin of the insertionprovideEnd of the insertion Begin of the deletion giveEnd of the deletion it access to the OpenProject SCIM server API.

**Acceptance criteria**

* Begin of the insertionSystem-level tokens function similarly toEnd of the insertion Begin of the deletion LikeEnd of the deletion personal access Begin of the insertiontokensEnd of the insertion Begin of the deletion tokens,End of the deletion but Begin of the insertionare associatedEnd of the insertion with Begin of the insertiona designatedEnd of the insertion Begin of the deletion theEnd of the deletion system Begin of the insertionuser.End of the insertion Begin of the deletion userEnd of the deletion

* Begin of the insertionTokens are limitedEnd of the insertion Begin of the deletion Only constrained in powerEnd of the deletion by Begin of the insertionspecific scopes.End of the insertion Begin of the deletion scopes (and possibly expiration)End of the deletion

* Begin of the insertionAdministrators can create, name, and manage these tokens via a dedicatedEnd of the insertion Begin of the deletion AEnd of the deletion menu entry Begin of the insertionlocated at /admin/settings/authentication.End of the insertion Begin of the deletion is placed in [https://qa.openproject-edge.com/admin/settings/authentication](https://qa.openproject-edge.com/admin/settings/authentication)End of the deletion

* Begin of the insertionInitially, the only selectableEnd of the insertion Begin of the deletion User is able to create and name system-level tokens

* Each token has aEnd of the deletion scope Begin of the deletion butEnd of the deletion for Begin of the insertiontokens is theEnd of the insertion Begin of the deletion now onlyEnd of the deletion SCIM API Begin of the insertionscope, whichEnd of the insertion Begin of the deletion scope can be selected andEnd of the deletion is selected by default.

* Begin of the insertionMultipleEnd of the insertion Begin of the deletion It is possible to have multipleEnd of the deletion active Begin of the insertionsystem-level tokens can exist simultaneously.End of the insertion Begin of the deletion tokens.End of the deletion

* Begin of the insertionAdministrators canEnd of the insertion Begin of the deletion A token has a menu toEnd of the deletion delete Begin of the insertionindividual tokens through an available menu action.End of the insertion Begin of the deletion the token.End of the deletion


**Technical notes**

* I'd suggest to prefix them, so that we can recognize how to validate them, e.g. `opst-ABCDEF...` (**O**pen**P**roject**S**ystem**T**oken)


**Permissions and visibility considerations**

* Only Begin of the insertionaccessible to administrators.End of the insertion Begin of the deletion adminsEnd of the deletion

* Only Begin of the insertionavailableEnd of the insertion when Begin of the insertiontheEnd of the insertion Enterprise Begin of the insertionplanEnd of the insertion Begin of the deletion plan:End of the deletion Corporate is active.


**Out of scope**

* Begin of the insertionToken expiration handling.

* Support for multiple scopes.End of the insertion Begin of the deletion <br>End of the deletion