Hello,

Some of our agents have discovered the developper tools and are trying to use the API directly. Is there any way to disable the API usage to agents ?

Hey Lionel, 

Interesting indeed! 

I'm not 100% sure if you can lock the developer tools down per user, though their user access controls/permissions/roles should dictate what they could even do within the dev tools/APIs.

Out of pure interest, what are they even trying to do?

------------------------------
Lawrence Drayton
Prvidr Pty Ltd

Original Message:
Sent: 02-08-2024 01:58
From: Lionel Florence
Subject: API access to agents

Hello,

Some of our agents have discovered the developper tools and are trying to use the API directly. Is there any way to disable the API usage to agents ?

#PlatformAdministration
#Security
#Unsure/Other

------------------------------
Lionel Florence
Helpline SAS
------------------------------

Hi,

Thanx for the answer. Our concern is that on our first tests a basic account can access quite easily to any API reaquests. Some with errors and some with access to data from divisions that is not supposed to access. We are investigating more tomorrow, before opening a ticket to Genesys support.

BTW : they are trying to get all the history of interactions mainly because the standard exports have some issues with the custom attributes values (some values are not visible in the reports despite they are visible in UI :-( )

------------------------------
Lionel Florence
Helpline SAS

Original Message:
Sent: 02-08-2024 03:06
From: Lawrence Drayton
Subject: API access to agents

Hey Lionel, 

Interesting indeed! 

I'm not 100% sure if you can lock the developer tools down per user, though their user access controls/permissions/roles should dictate what they could even do within the dev tools/APIs.

Out of pure interest, what are they even trying to do?

------------------------------
Lawrence Drayton
Prvidr Pty Ltd

Original Message:
Sent: 02-08-2024 01:58
From: Lionel Florence
Subject: API access to agents

Hello,

Some of our agents have discovered the developper tools and are trying to use the API directly. Is there any way to disable the API usage to agents ?

#PlatformAdministration
#Security
#Unsure/Other

------------------------------
Lionel Florence
Helpline SAS
------------------------------

Hey mate, 

Hmm, very interesting - as far as I am aware the user context that the request is being made from (Which is how the dev tools do it) should only give them access to pull information or APIs that they have permission to access. I would be interested to the outcome of your support ticket and if you are willing to I would like to test some of your use cases in my environment if you would share the APIs they are using spesifically.

Hi,

Thanx for the answer. Our concern is that on our first tests a basic account can access quite easily to any API reaquests. Some with errors and some with access to data from divisions that is not supposed to access. We are investigating more tomorrow, before opening a ticket to Genesys support.

BTW : they are trying to get all the history of interactions mainly because the standard exports have some issues with the custom attributes values (some values are not visible in the reports despite they are visible in UI :-( )

------------------------------
Lionel Florence
Helpline SAS

Original Message:
Sent: 02-08-2024 03:06
From: Lawrence Drayton
Subject: API access to agents

Hey Lionel, 

Interesting indeed! 

I'm not 100% sure if you can lock the developer tools down per user, though their user access controls/permissions/roles should dictate what they could even do within the dev tools/APIs.

Out of pure interest, what are they even trying to do?

------------------------------
Lawrence Drayton
Prvidr Pty Ltd

Original Message:
Sent: 02-08-2024 01:58
From: Lionel Florence
Subject: API access to agents

Hello,

Some of our agents have discovered the developper tools and are trying to use the API directly. Is there any way to disable the API usage to agents ?

#PlatformAdministration
#Security
#Unsure/Other

------------------------------
Lionel Florence
Helpline SAS
------------------------------

Hello Lawrence,

After more investigations :

• If a agent as a permission thru a role he can use all API relative to that permission.

• We found at least one issue : by default our agent have the "location - edit" permission which let them change their location on their profile... But let them change any parameter of any location thru the API. This include the location name for example.

• A user with only the "employee role" can access thru the API to any interaction, he just need to have the ID of the interaction. Even if the interaction is associated to another division. Note that he can not access to this interaction with the user UI, "access denied".

We did not go thru all the APIs to identify more issues like this but we are opening an incident on the "location edit permission" and the "interaction access".

Another "side effect" is that thru API, agents can collect all the data of one collection in one request, where this would take them a lot of clics and efforts in the user interface. The good example is the directory : they can get all the members and their data of the directory in one request !

Let me know if you see the same results.

Regards,

Lionel

Hey mate, 

Hmm, very interesting - as far as I am aware the user context that the request is being made from (Which is how the dev tools do it) should only give them access to pull information or APIs that they have permission to access. I would be interested to the outcome of your support ticket and if you are willing to I would like to test some of your use cases in my environment if you would share the APIs they are using spesifically.

Hi,

Thanx for the answer. Our concern is that on our first tests a basic account can access quite easily to any API reaquests. Some with errors and some with access to data from divisions that is not supposed to access. We are investigating more tomorrow, before opening a ticket to Genesys support.

BTW : they are trying to get all the history of interactions mainly because the standard exports have some issues with the custom attributes values (some values are not visible in the reports despite they are visible in UI :-( )

------------------------------
Lionel Florence
Helpline SAS

Original Message:
Sent: 02-08-2024 03:06
From: Lawrence Drayton
Subject: API access to agents

Hey Lionel, 

Interesting indeed! 

I'm not 100% sure if you can lock the developer tools down per user, though their user access controls/permissions/roles should dictate what they could even do within the dev tools/APIs.

Out of pure interest, what are they even trying to do?

------------------------------
Lawrence Drayton
Prvidr Pty Ltd

Original Message:
Sent: 02-08-2024 01:58
From: Lionel Florence
Subject: API access to agents

Hello,

Some of our agents have discovered the developper tools and are trying to use the API directly. Is there any way to disable the API usage to agents ?

#PlatformAdministration
#Security
#Unsure/Other

------------------------------
Lionel Florence
Helpline SAS
------------------------------

Hello Lionel,

Not sure if you resolved your issue, but there is a way to restrict access to developer tools:

"Allowing/Restricting access to the Developer Tools can be accomplished today with the following procedure.

The Developer Tools uses an Implicit Grant OAuth Client with a known Client ID to authenticate a user and provide access to the Dev Tools. This client id is automatically authorized with all production orgs. That allows anyone with a Genesys Cloud login to seamlessly visit the Developer Center, authenticate, and use the Developer Tools built into the Dev Center.

If a customer wanted to restrict access to the Developer Tools to specific users (or no users at all), then they would need to explicitly authorize that OAuth client id used by the Dev Tools per this article: Authorize an OAuth client - Genesys Cloud Resource Center . Once it is an Authorized Application for their org, they can then control access by associating a Role with that Authorized Application. Any user(s) that have that role assigned would be able to log into the Dev Center and access the Developer Tools. Users that don't have that role would only be able to access the Dev Center in a read-only mode. Even if a user were savvy enough to sniff out the Dev Center authentication flow and try to spoof that in Postman, this role-based Authorization Application method would prevent their access from Postman.

To obtain the OAuth client ID, Genesys customers should contact Genesys Customer Care to obtain that.

Note, this method is not fine-grained! It provides access to all developer tools in the Dev Center or none of the tools in the Dev Center, there is no middle ground to provide access to only some of the tools."

Credit on idea OP-I-1137

Hello Lawrence,

After more investigations :

• If a agent as a permission thru a role he can use all API relative to that permission.

• We found at least one issue : by default our agent have the "location - edit" permission which let them change their location on their profile... But let them change any parameter of any location thru the API. This include the location name for example.

• A user with only the "employee role" can access thru the API to any interaction, he just need to have the ID of the interaction. Even if the interaction is associated to another division. Note that he can not access to this interaction with the user UI, "access denied".

We did not go thru all the APIs to identify more issues like this but we are opening an incident on the "location edit permission" and the "interaction access".

Another "side effect" is that thru API, agents can collect all the data of one collection in one request, where this would take them a lot of clics and efforts in the user interface. The good example is the directory : they can get all the members and their data of the directory in one request !

Let me know if you see the same results.

Regards,

Lionel

Hey mate, 

Hmm, very interesting - as far as I am aware the user context that the request is being made from (Which is how the dev tools do it) should only give them access to pull information or APIs that they have permission to access. I would be interested to the outcome of your support ticket and if you are willing to I would like to test some of your use cases in my environment if you would share the APIs they are using spesifically.

Hi,

Thanx for the answer. Our concern is that on our first tests a basic account can access quite easily to any API reaquests. Some with errors and some with access to data from divisions that is not supposed to access. We are investigating more tomorrow, before opening a ticket to Genesys support.

BTW : they are trying to get all the history of interactions mainly because the standard exports have some issues with the custom attributes values (some values are not visible in the reports despite they are visible in UI :-( )

------------------------------
Lionel Florence
Helpline SAS

Original Message:
Sent: 02-08-2024 03:06
From: Lawrence Drayton
Subject: API access to agents

Hey Lionel, 

Interesting indeed! 

I'm not 100% sure if you can lock the developer tools down per user, though their user access controls/permissions/roles should dictate what they could even do within the dev tools/APIs.

Out of pure interest, what are they even trying to do?

------------------------------
Lawrence Drayton
Prvidr Pty Ltd

Original Message:
Sent: 02-08-2024 01:58
From: Lionel Florence
Subject: API access to agents

Hello,

Some of our agents have discovered the developper tools and are trying to use the API directly. Is there any way to disable the API usage to agents ?

#PlatformAdministration
#Security
#Unsure/Other

------------------------------
Lionel Florence
Helpline SAS
------------------------------