In addition to specifying the nameid to be subsequently placed in the JWT issued from the ACS OAUTH token issuing endpoint one can specify one or more “permission strings”. The strings to be registered can (and probably should) come from the consent URI; with consent using the websso session to determine whether such an application-permission should be granted. Note that this is nothing to do with “scope” used in the OAUTH protocol itself (which is tantamount to an RP, in the ACS model).
Concerning scope however, note where the permissions fields are eventually placed within the issued token:
Looking at an example using the SWT (not JWT) blob format:, we see:
We can presume that the permission string is expressed as one of the scope field values in the JWT case (alongside the official scope ; the name of the ACS RP).