So I've tested creating an oauth to use in Postman where I gave it no permissions. From what I've tested I can use the following API api/v2/conversations/calls/conversationId but not /v2/conversations/conversationId
Why would those two have different permissions, but more importantly, why would I be able to query against one of them when the role my oauth client has, was given NO permissions?
You can find the documented permissions here:
If you find that the endpoints are not enforcing permissions as stated in the documentation, please open a case with Genesys Cloud Care to report the errant behavior.
Thanks Tim, most definitely the /calls one is working without any permissions added. I don't have much faith in this being escalated through care to the devs, so can you please suggest how I can word this so as to alleviate some of that initial pain? They will follow the standard "please send us console logs" stuff which you can understand in this context probably isn't overly relevant.
Sorry I may be not spotting it but in the links you've sent I don't actually see the permissions noted at the endpoint level.
Hello,
If you follow the link, you'll see an "Operation Information" section (above "API Request" section).
If you expand this section, you'll see that it specifies Required Permissions (if any) and Required Scopes (if any).
Regards,
You would open a case saying I'm using API endpoint AAAA with a token generated using oauth client ID BBBB and user ID CCCC. This endpoint does DDDD, which is as expected. But when I use endpoint BBBB with the same auth token, it does CCCC. The correlation ID for the first request is EEEE. The correlation ID for the second request is FFFF. This isn't what I expect because <explain how the behavior is different from what's documented> and I have verified that my user has the correct permissions assigned via role GGGG. I believe this is a bug because the API endpoint is not behaving as documented.
Replace AAAA-GGGG with your specific details.
Thanks Jerome. Looking at this, the API in question does have no permissions required. That makes sense that it works now since these will be scoped for everything as a client credentials oauth.
Thanks Tim too.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.