Description
The following endpoints are being updated to enforce their documented permissions:
DELETE /api/v2/externalcontacts/organizations/{externalOrganizationId}/trustor
PUT /api/v2/externalcontacts/organizations/{externalOrganizationId}/trustor/{trustorId}
These endpoints have always been documented to require the externalContacts:externalOrganization:edit permission. However, due to a bug, the permissions were not being enforced properly. We are now correcting this bug.
If any users in your organization are impacted, granting them the externalContacts:externalOrganization:edit permission should resolve the issue.
Change Category
API
Change Context
The permissions not being enforced presents a security hazard that needs to be addressed.
Change Impact
Our logging shows that zero production orgs currently utilize these endpoints. While we do not predict any customer impact, customers may resolve any issues by granting the documented permission to the user accessing the API, per the API documentation.
Date of Change
Jan 31, 2024
Impacted APIs
DELETE /api/v2/externalcontacts/organizations/{externalOrganizationId}/trustor
PUT /api/v2/externalcontacts/organizations/{externalOrganizationId}/trustor/{trustorId}
References
[RELATE-10851]