Genesys Cloud - Main

Hello,

• Assume you configure the following:
  - OAuth A (client credentials) assigned with Role R to Division A
  - OAuth B (client credentials) assigned with Role R to Division B
  Role R includes several permissions. For the sake of this discussion, assume that among them is the permission to post callbacks.
  
  We noticed the following:
  1) Use client credentials of OAuth A to create a token
  2) Use the token to GET the available queues through API - Division A queues are returned - this is expected
  3) Use the token to POST a callback to a division A queue - the callback is submitted - this is expected
  4) Use the token to POST a callback to a division B queue - the callback is submitted - this is NOT expected. We tried it out using a division B queue id just to confirm that it is not working. It was a big surprise for us to see it working.
  
  The same applies if we use a token generated by OAuth B and post a callback to queue that belongs to division A.
  
  To summarize:
  - For GET requests division of OAuth is honored.
  - For POST requests division of OAuth is NOT honored. I would expect to get an authorization error like Forbidden.
  
  Security wise the above observed behavior is not acceptable and cannot be considered as-designed. Can someone confirm that this is how it is working at the moment (we need to ensure that we have not missed anything)? Any comments will be highly appreciated.
  
  

Best Regards,

Orestis

Hi Orestis

My initial response will be that this does not sound correct.  According to the documentation on recourse center, it should only be able to access the division which is assigned to the role.  I did however notice that all Client Credential grant roles as scoped to the Home division by default -  https://help.genesys.cloud/articles/create-an-oauth-client/

Just to confirm that the queue is assigned only to 1 Division and the role assigned to the OAuth client only has the 1 division assigned as well?

Not sure if someone else in the community has experienced a similar issues.

Regards

Just to confirm that the queue is assigned only to 1 Division and the role assigned to the OAuth client only has the 1 division assigned as well?

Exactly. Queue belongs to Division B. OAuth role assigned refers to Division A. I would expect not to be able to post a callback under Division B Queue using the Oauth credentials that has a role with permissions against Division A.

Hi Orestis

Noted and thank you for the confirmation.  

As per message from Phaneendra, it seems he has also experienced some issues previously.  Not sure if you could perhaps log a support ticket for this issue so Genesys can advise if the behaviour is normal or if there is perhaps an underlying issue.

Regards

Hello Stephan,

I have already opened a case to product support for that. I am expecting their feedback. I started this discussion just to see if other users have ever experienced something similar.

I will you keep you posted.

Hi Orestis,

That's interesting to know, it looks like division scoping is honoured for GET requests, but not always consistently enforced for some action-based APIs.

I've seen similar behaviour in another use case when setting up an automation to reset "Not Responding" agents initially, it impacted users across divisions, so we had to introduce division-based filtering in the workflow to ensure only the intended division was affected.

Definitely keen to hear if others have observed the same or have approached this differently