You need to identify the types of scopes that your privileges will have. You may find it easier to think in terms of security contexts rather than scopes (use whichever concept works better for you). The two things are very similar but contexts are more user-facing and scopes more implementation-facing. Ask yourself, in what contexts do I need to provide different access rights based on users' relationships? You are not, at this stage, going to be creating the scopes themselves, just identifying and creating their types. This is a necessary precursor to creating privileges. Note that Veil2 provides 2 default scope types: for global and personal scopes. You will also need to consider whether your role mappings will apply globally, or whether different subsets of users are going to see different contextually-dependent role-mappings. If your users have different authentication contexts, that is they log in using different web forms for different organizations or departments, etc, then you may need different role mappings for those different authentication contexts. Look for "STEP 2" in the file veil2_demo--<version>.sql. You will need to insert records into veil2.scope_types. The Veil2 demo creates 3 relational scopes: corp, org and project where: corp represents a corporation; org represents an organization within the organizational hierarchy of a corporation; and project represents a project. If you need multiple role to role mapping contexts, you need to define mapping context target scope type in the system_parameters table. The demo sets role to role mapping to happen at the corp level. This means that the Customer Service Rep role might provide us with different function-level roles if we log in to Veil Corp than if we log in to Protected Corp. Veil2 defaults to role-mapping being global. If this is what you want for your system, you can skip this step.