Developer Console > Applications > New Application:
1. Name: "order-sync-service" (descriptive of function)
2. Type: Server application (client credentials flow)
3. Scopes: api:read-data, api:ontology-read (minimum needed)
4. Project access: Add as Editor on specific projects only

Result: client_id + client_secret (store in secrets manager)

# Define per-application scopes
APP_SCOPES = {
    "dashboard-reader": ["api:read-data", "api:ontology-read"],
    "data-sync-service": ["api:read-data", "api:write-data"],
    "admin-tool": ["api:read-data", "api:write-data", "api:ontology-read", "api:ontology-write"],
}

def create_client_for_app(app_name: str) -> foundry.FoundryClient:
    scopes = APP_SCOPES[app_name]
    auth = foundry.ConfidentialClientAuth(
        client_id=os.environ[f"{app_name.upper().replace('-','_')}_CLIENT_ID"],
        client_secret=os.environ[f"{app_name.upper().replace('-','_')}_CLIENT_SECRET"],
        hostname=os.environ["FOUNDRY_HOSTNAME"],
        scopes=scopes,
    )
    auth.sign_in_as_service_user()
    return foundry.FoundryClient(auth=auth, hostname=os.environ["FOUNDRY_HOSTNAME"])

Organization Groups (manage in Foundry Admin):
├── data-engineering        → Editor on pipeline projects
├── data-science            → Viewer on pipeline, Editor on ML projects
├── business-analysts       → Viewer on analytics projects
├── external-partners       → Viewer on shared datasets only
└── platform-admins         → Owner on all projects

Principle: Users inherit access from groups.
Never assign project roles to individual users.

def audit_service_user_access(client):
    """Check what the current service user can actually access."""
    accessible = {"ontologies": [], "datasets": []}
    try:
        for ont in client.ontologies.Ontology.list():
            accessible["ontologies"].append(ont.api_name)
    except foundry.ApiError:
        pass
    print(f"Accessible ontologies: {accessible['ontologies']}")
    return accessible