Permission enforcement - Notifications API

Becky_Powell · February 27, 2020, 4:55pm

Category: API

Summary: Users subscribing to a notification topic must have the permission(s) required for that topic's subscription.

Context: Users should not be able to subscribe to topics unless they have the permission(s) required to subscribe to that topic.

Impact: Customers will have a six-month grace period wherein they can elect to enable permission enforcement for notification topics. During the grace period, there will be no impact to customers unless they elect to enable permission enforcement for notification topics, at which time users attempting to subscribe to topics who do not have the required permission(s) to subscribe to that topic will receive an authorization error. Upon expiration of the grace period (no sooner than September 30th, 2020), all users attempting to subscribe to topics who do not have the required permission(s) to subscribe to that topic will receive an authorization error.

Date of Change: No sooner than April 1st, 2020.

Impacted APIs: Notifications

Ana_Laia · February 28, 2020, 11:30am

Hi Becky,

Can you tell me which permissions are required and where do I assign these permissions?

Thank you in advance.

Best regards,
Ana Laia

javier.delolmo · March 2, 2020, 1:33pm

Hi Becky,
There will be special permissions for the subscription to topics? (if this is the case it would be necessary what @Ana_Laia says about an inventory of necessary permissions) or it will be the normal permissions that exist now? (if this is the case, I thought this was already ...).

Thanks.

Becky_Powell · March 2, 2020, 9:52pm

Here is the current topic:permission mapping:

Topic			Permission
v2.analytics.queues.{id}.observations			analytics:queueObservation:view, analytics:conversationAggregate:view
v2.analytics.users.{id}.aggregates			analytics:userAggregate:view, analytics:conversationAggregate:view
v2.architect.dependencytracking.build			architect:dependencyTracking:view
v2.architect.prompts.{id}			architect:userPrompt:view
v2.architect.prompts.{id}.resources.{id}			architect:userPrompt:view
v2.architect.systemprompts.{id}.resources.{id}			architect:systemPrompt:view
v2.businessunits.{id}.workforcemanagement.intraday			wfm:intraday:view
v2.contentmanagement.documents.{id}			-
v2.contentmanagement.workspaces.{id}.documents			-
v2.flows.outcomes.{id}			architect:flowOutcome:view
v2.flows.{id}			architect:flow:view
v2.groups.{id}.greetings			-
v2.managementunits.{id}.workforcemanagement.intraday			wfm:intraday:view
v2.outbound.attemptlimits.{id}			outbound:attemptLimits:view
v2.outbound.callabletimesets.{id}			outbound:callableTimeSet:view
v2.outbound.campaignrules.{id}			outbound:campaignRule:view
v2.outbound.campaigns.{id}			outbound:campaign:view
v2.outbound.campaigns.{id}.progress			outbound:campaign:view
v2.outbound.campaigns.{id}.stats			outbound:campaign:view
v2.outbound.contactlistfilters.{id}			outbound:contactListFilter:view
v2.outbound.contactlists.{id}			outbound:contactList:view
v2.outbound.contactlists.{id}.importstatus			outbound:contactList:view
v2.outbound.dnclists.{id}			outbound:dncList:view
v2.outbound.dnclists.{id}.importstatus			outbound:dncList:view
v2.outbound.messagingcampaigns.{id}.progress			outbound:campaign:view
v2.outbound.responsesets.{id}			outbound:responseSet:view
v2.outbound.rulesets.{id}			outbound:ruleSet:view
v2.outbound.schedules.campaigns.{id}			outbound:schedule:view
v2.outbound.schedules.sequences.{id}			outbound:schedule:view
v2.outbound.sequences.{id}			outbound:campaignSequence:view
v2.outbound.settings			outbound:settings:view
v2.outbound.wrapupcodemappings.{id}			outbound:wrapUpCodeMapping:view
v2.routing.queues.{id}.conversations			analytics:conversationDetail:view
v2.routing.queues.{id}.conversations.callbacks			analytics:conversationDetail:view
v2.routing.queues.{id}.conversations.calls			analytics:conversationDetail:view
v2.routing.queues.{id}.conversations.chats			analytics:conversationDetail:view
v2.routing.queues.{id}.conversations.cobrowseSessions			routing:queue:view
v2.routing.queues.{id}.conversations.emails			analytics:conversationDetail:view
v2.routing.queues.{id}.conversations.messages			routing:queue:view
v2.routing.queues.{id}.conversations.screenshares			analytics:conversationDetail:view
v2.routing.queues.{id}.conversations.socialexpressions			analytics:conversationDetail:view
v2.routing.queues.{id}.conversations.videos			analytics:conversationDetail:view
v2.routing.queues.{id}.users			routing:queue:view
v2.system.{id}.{id}			-
v2.users.{id}.activity			analytics:userObservation:view
v2.users.{id}.alerting.heartbeat.alerts			-
v2.users.{id}.alerting.heartbeat.rules			-
v2.users.{id}.alerting.interactionstats.alerts			alerting:alert:view
v2.users.{id}.alerting.interactionstats.rules			alerting:rule:view
v2.users.{id}.analytics.reporting.exports			-
v2.users.{id}.badges.chats			-
v2.users.{id}.callforwarding			-
v2.users.{id}.conversations			analytics:conversationDetail:view
v2.users.{id}.conversations.callbacks			analytics:conversationDetail:view
v2.users.{id}.conversations.calls			analytics:conversationDetail:view
v2.users.{id}.conversations.chats			analytics:conversationDetail:view
v2.users.{id}.conversations.cobrowseSessions			analytics:conversationDetail:view
v2.users.{id}.conversations.emails			analytics:conversationDetail:view
v2.users.{id}.conversations.messages			analytics:conversationDetail:view
v2.users.{id}.conversations.screenshares			analytics:conversationDetail:view
v2.users.{id}.conversations.socialexpressions			analytics:conversationDetail:view
v2.users.{id}.conversations.videos			analytics:conversationDetail:view
v2.users.{id}.conversationsummary			-
v2.users.{id}.fax.documents			-
v2.users.{id}.geolocation			-
v2.users.{id}.greetings			-
v2.users.{id}.outbound.contactlists.{id}.export			outbound:contactList:view
v2.users.{id}.outbound.dnclists.{id}.export			outbound:dncList:view
v2.users.{id}.outofoffice			-
v2.users.{id}.presence			-
v2.users.{id}.routingStatus			-
v2.users.{id}.station			directory:user:view
v2.users.{id}.tokens			oauth:client:authorize
v2.users.{id}.userrecordings			-
v2.users.{id}.voicemail.messages			-
v2.users.{id}.workforcemanagement.adherence			wfm:agentSchedule:view
v2.users.{id}.workforcemanagement.historicaladherencequery			wfm:historicalAdherence:view
v2.users.{id}.workforcemanagement.notifications			-
v2.users.{id}.workforcemanagement.schedules			wfm:agentScheduleNotification:view
v2.users.{id}.workforcemanagement.timeoffrequests			wfm:timeOffRequest:view
v2.workforcemanagement.agents			wfm:agent:edit
v2.workforcemanagement.businessunits.{id}.schedules			wfm:schedule:view
v2.workforcemanagement.businessunits.{id}.scheduling.runs			wfm:schedule:view
v2.workforcemanagement.managementunits.{id}			wfm:managementUnit:view
v2.workforcemanagement.managementunits.{id}.adherence			wfm:realtimeAdherence:view
v2.workforcemanagement.managementunits.{id}.agents.sync			wfm:agent:view
v2.workforcemanagement.managementunits.{id}.schedules			wfm:schedule:view
v2.workforcemanagement.managementunits.{id}.shifttrades.state.bulk			wfm:shiftTradeRequest:view
v2.workforcemanagement.users.{id}.schedules.query			wfm:schedule:view
v2.workforcemanagement.users.{id}.schedules.search			wfm:schedule:view, wfm:publishedSchedule:view

This information will be documented in the Developer Center and will be returned upon GET call to /api/v2/notifications/availabletopics.

javier.delolmo · March 4, 2020, 2:50pm

Hi, Becky,
I have two questions:
1 - If I give the analytics:conversationDetail:view permission to a contact center agent to subscribe to the notifications of for example the topic v2.users.{id}.conversations, he will be able to subscribe to the conversations of another agent if he finds out his id? with this permission, the agents will have access to the menu Performance>Interactions?

2 - In the topics that don't have associated permission, that means, that any Purecloud user if he knows the id of another user will be able to subscribe to the topic for example... v2.users.{id}.geolocation and know the location of the user?

Becky_Powell · March 4, 2020, 5:58pm

Hi Javier,

1a. Yes, if you give the analytics:conversationDetail:view permission to a contact center agent to subscribe to the notifications of for example the topic v2.users.{id}.conversations, he will be able to subscribe to the conversations of another agent if he finds out his id.

1b. The analytics:conversationDetail:view permission is just one of the permissions required to access the Interactions view. The full list of required permissions is documented here: https://help.mypurecloud.com/articles/interactions-view/

2 - Yes, this is correct.

Best,
Becky

Becky_Powell · May 6, 2020, 5:58am

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.