We are using CIS and open id conect. How to define the authorisation scope : admin/user using cloud identity service and openid connect so that I can differentiate the enduser and admin