Hi Wolfgang,
What you're experiencing is the expected behavior at the moment. While some resources in Genesys Cloud are division‑aware, the platform does not fully enforce division scoping across all object types when accessed via OAuth client‑credentials.
This inconsistency appears in other areas as well-for example, certain GET operations through OAuth respect divisions, while others do not-which shows that division enforcement is still incomplete across the platform.
Because division‑awareness is not fully implemented, an OAuth client restricted to a specific division can still retrieve all users, even if the role permissions are scoped.
So yes, today it is not possible to completely segregate Terraform (or any client‑credential automation) by division when it comes to directory users
Original Message:
Sent: 03-30-2026 07:43
From: Wolfgang Liebich
Subject: Can I restrict an application to only see users from certain divisions?
Hi,
this is interesting. I thought that at least the permission "Directory > User > View" is division-aware - when I edit roles, it is shown if the permission is division aware or not, and for the above permission, the Genesys UI says "yes" - so is the UI telling me a lie here ? :-)
Regards,
Wolfgang Liebich
------------------------------
Wolfgang Liebich
Original Message:
Sent: 03-28-2026 10:43
From: Cesar Padilla
Subject: Can I restrict an application to only see users from certain divisions?
Hi @Wolfgang Liebich, At the moment, what you're seeing is expected. While some resources in Genesys Cloud are division‑aware, the platform does not fully enforce division scoping for all object types when accessed through OAuth client‑credential flows.
This behavior is also visible in other areas-for example, in OAuth‑based API calls where GET requests respect divisions but other operations do not, showing that division enforcement is still inconsistent across the platform.
Because of this incomplete division‑awareness, an OAuth client restricted to a division can still retrieve all users, even if its role permissions are scoped.
So yes, today it is not possible to fully segregate Terraform (or any client‑credential automation) by division when it comes to directory users.
------------------------------
Cesar Padilla
INDRA COLOMBIA
Original Message:
Sent: 03-27-2026 08:59
From: Wolfgang Liebich
Subject: Can I restrict an application to only see users from certain divisions?
I have been exploring "CX as code", and was experimenting with a setup where I restrict it to only be able to view certain divisions.
I gave the Terraform OAuth client a role, which was restricted to one division only
But at least for the users, this did not work - I could still see users from other divisions!
I explored this further with a self-written program which just called the https://developer.genesys.cloud/useragentman/users/#get-api-v2-users API. The program in question used clientID/clientSecret authentification (just like Terraform does), and the OAuth client in question had a role with permissions "directory > user > all" for one division only.
The GET call, however, returned still all users.
According to the documentation for the permission, the "directory > user > view" permission (implied by the "all" permission) is division-aware, so why does it have no effect here?
I re-ran the test with a second role, which had all "directory > user" permissions separately added (so no "all" permission, but just "view", "edit", etc.) - also assigned only to one division
The result was the same.
So it seems it is impossible to segregate a terraform configuration per divisions, at least for the users - is this correct? It would be really bad for one client, which has in the whole call center more than 10000 users, which would present it's own problems in that case.
Is there no permission check at work here?
Thanks in advance,
Wolfgang Liebich
#PlatformAPI
------------------------------
Wolfgang Liebich
------------------------------