Description
The PATCH method to the /api/v2/analytics/reporting/settings endpoint will require a user to explicitly have analytics > reportingSettings > edit rights to execute a request. Currently, users with view permissions over recording segment, conversation aggregates, conversation details, or dashboard configurations can execute PATCH requests. Once this change is in effect, they will only be able to execute GET requests against this endpoint. The new edit permission will need to be assigned to users who need to execute PATCH requests after the effective date.
Change Category
Informational
API
Change Context
Currently both the GET and PATCH method for this API have the same permission requirements. If a user can read settings from the endpoint, they can also make changes. This presents a potential issue for businesses where users that need to read export settings must also be given permission to make organization wide configuration changes. This change separates these access patterns to allow for permission combinations that support read rights without permission to make changes.
Change Impact
Any call to PATCH /api/v2/analytics/reporting/settings endpoint will be denied if the user lacks proper edit rights. Users that have been able to make changes in the past will be unable to do so until edit rights are assigned.
Date of Change
Feb 28, 2024
The current behavior may present a security risk to some customers; we have shortened our notice window in order to mitigate this risk.
Impacted APIs
PATCH /api/v2/analytics/reporting/settings
References
Logging deprecated behavior [BI-7813]
New Permission [BI-7812]
Deprecation [BI-7862]
Backfill [AUTHZ-290]