diff --git a/configuration.php b/configuration.php
index 6e950165..a6c145f1 100644
--- a/configuration.php
+++ b/configuration.php
@@ -102,6 +102,11 @@ namespace Icinga\Module\Icingadb {
         $this->translate('Allow to view an object\'s source data. (May contain sensitive data!)')
     );
 
+    $this->provideRestriction(
+        'icingadb/scope/commands',
+        $this->translate('Restrict to which objects the command permissions this role grants will apply')
+    );
+
     $this->provideRestriction(
         'icingadb/filter/objects',
         $this->translate('Restrict access to the Icinga objects that match the filter')
diff --git a/doc/04-Security.md b/doc/04-Security.md
index c6653d93..113ef59d 100644
--- a/doc/04-Security.md
+++ b/doc/04-Security.md
@@ -9,8 +9,8 @@ The same applies to routes, objects and variables. To these, users can be restri
 
 > **Restricted Command Permissions:**
 >
-> If a role [limits users](#filters) to a specific set of results, the command
-> permissions or refusals of the very same role only apply to these results.
+> If a role [limits users](#filters) to a specific set of results, the granted command permissions of the very same
+> role only apply to these results. The [`icingadb/scope/commands`](#scopes) restriction has the same effect.
 
 | Name                                           | Allow...                                                                         |
 |------------------------------------------------|----------------------------------------------------------------------------------|
@@ -61,6 +61,17 @@ unrestricted. It should be one or more [filter expressions](#filter-expressions)
 `icingadb/filter/services` will only allow users to access matching services. Other objects remain unrestricted.
 It should be one or more [filter expressions](#filter-expressions).
 
+### Scopes
+
+Scopes don't limit users in what they can see, just in what they can do where.
+
+| Name                    | Description                                                                |
+|-------------------------|----------------------------------------------------------------------------|
+| icingadb/scope/commands | Restrict to which objects the command permissions a role grants will apply |
+
+`icingadb/scope/commands` will limit where the granted command permissions of a role will apply.
+It should be one or more [filter expressions](#filter-expressions).
+
 ### Denylists
 
 Denylists prevent users from accessing information and in some cases will block them entirely from it.
diff --git a/library/Icingadb/Authentication/ObjectAuthorization.php b/library/Icingadb/Authentication/ObjectAuthorization.php
index ba5aa17e..4f8bbfa4 100644
--- a/library/Icingadb/Authentication/ObjectAuthorization.php
+++ b/library/Icingadb/Authentication/ObjectAuthorization.php
@@ -153,6 +153,10 @@ class ObjectAuthorization
 
         foreach ($this->getAuth()->getUser()->getRoles() as $role) {
             $roleFilter = Filter::all();
+            if (($restriction = $role->getRestrictions('icingadb/scope/commands'))) {
+                $roleFilter->add($this->parseRestriction($restriction, 'icingadb/scopes/commands'));
+            }
+
             if (($restriction = $role->getRestrictions('icingadb/filter/objects'))) {
                 $roleFilter->add($this->parseRestriction($restriction, 'icingadb/filter/objects'));
             }