kellcomnet | 2018-04-26 17:57:11 UTC | #1
Using v32.0.0
I am trying to get a list of users that have been added on our side (support partner) to different Trustors. The call is failing with the following error. Now the error tells me why it is failing but how to I add the permission to the ClientID. I also have a separate client ID for each customer but you can't add users from the trustee side only the trustor side, then you switch to trustee to assign the roles.
PureCloudPlatform.Client.V2.Client.ApiException: 'Error calling GetOrgauthorizationTrustorUser: {"status":403,"code":"forbidden","message":"Unable to perform the requested action. You are missing the following permission(s) [authorization:orgTrusteeUser:view] in the trustor organization: [248c7f69-55b0-459f-bfc8-f3cc963237b2]","details":[],"errors":[]}'
var trustors = AVDSOrgAuthClient.GetOrgauthorizationTrustors(pageSize: 100); foreach (var trustor in trustors.Entities) { var trustorDetail = AVDSOrgAuthClient.GetOrgauthorizationTrustor(trustor.Id); // The next line fails var trustorusers = AVDSOrgAuthClient.GetOrgauthorizationTrustorUsers(trustor.Id); }
tim.smith | 2018-04-26 18:05:08 UTC | #2
I believe you need to add the authorization:orgTrusteeUser:view permission to a role assigned to the trusted user in the org where they have been granted access. That would be the role mentioned in step 6 here: https://help.mypurecloud.com/articles/authorize-users-work-organization/
kellcomnet | 2018-04-26 18:38:51 UTC | #3
@tim.smith correct and that is what the error message I included states, but the question has to do with Client ID oauth access.
tim.smith | 2018-04-26 18:53:26 UTC | #4
the question has to do with Client ID oauth access.
I'm not sure what you mean by that. Are you referring to authenticating using a Client Credentials OAuth grant, perhaps? If so, assign the permission to the role that's assigned to that OAuth client.
kellcomnet | 2018-04-26 19:08:30 UTC | #5
tim.smith, post:2, topic:2794
authorization:orgTrusteeUser:view
Yes, using Client Credentials, I have assigned the OAuth client the AVDS_Support role, that role has the permission on the Trustor org. I have not found a way to trust the OAuth client from the Trustee org.
tim.smith | 2018-04-26 19:37:57 UTC | #6
kellcomnet, post:5, topic:2794
I have not found a way to trust the [client credentials] OAuth client from the Trustee org
Correct. Org trust only applies to users. For Client Credentials, have the org's admin create the Client Credentials OAuth client with the permissions you need and then use those client credentials to authenticate with that org.
I've found your request (correlation ID 79a5602d-a40f-4c78-bba9-82768acd4510) and you're making a request to GET /api/v2/orgauthorization/trustors/248c7f69-55b0-459f-bfc8-f3cc963237b2/users/781c1bea-e786-437f-a5d8-2cb8d194e177. The issue is that you're making a request with client credentials from one org (7fb454ce-1fb2-49d4-ad7e-bc3f48672194), but requesting information about another org (248c7f69-55b0-459f-bfc8-f3cc963237b2). Because client credentials cannot be granted access to another org, this error message is correct.
You need to either use a user account that has been granted permissions in the target org or use client credentials that were created in the target org.
system | 2018-05-27 19:38:07 UTC | #7
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 2794