Genesys Cloud - Developer Announcements!

 View Only

Sign Up

Back to discussions
Expand all | Collapse all

Permissions Enforcement Added to User Station Management Endpoints

  • 1.  Permissions Enforcement Added to User Station Management Endpoints

    Posted 6 days ago

    Summary

    Permissions checks are being introduced to five existing station-related endpoints and three new endpoints. These updates ensure that only authorized users can view, modify, or delete station associations for themselves or others.

    Effective Date

    Sunday, March 1, 2026

    Details

    Several user station endpoints currently allow any authenticated user to view, change, or delete other users’ station associations because no permission checks exist today.

    To properly secure these operations, administrators must be able to control access by granting or revoking the appropriate permissions. Enforcing permissions will prevent unauthorized manipulation of station assignments.

    Customer Impact

    If your organization has users accessing any of the endpoints listed below without the required permissions—and you want them to retain access—you must update their roles before permissions begin enforcement.

    How to prepare:

    • If accessing via an OAuth client using Client Credentials Grant:

    Add the required permissions to one of the roles assigned to that OAuth client.

    • If accessing via OAuth clients using Code/PKCE, Token Implicit Grant, or SAML2 Bearer—or via the Genesys Cloud UI:

    Add all six permissions to the user roles that need to call these endpoints.

    Permissions that will now be required:

    conversation:callForwarding:view

    telephony:otherStationAssociation:view (UI: Telephony > Others’ phone associations > View)

    telephony:otherStationAssociation:edit (UI: Telephony > Others’ phone associations > Edit)

    telephony:selfStationAssociation:view (UI: Telephony > User’s phone associations > View)

    telephony:selfStationAssociation:edit (UI: Telephony > User’s phone associations > Edit)

    telephony:station:disassociate

    Roles that already have the conversation:call:add permission will automatically receive these permissions in a future backfill (date to be announced).

    Permissions enforcement begins on or after March 1, 2026.

    Impacted Resources

    Existing Endpoints

    GET /api/v2/users/{userId}/callforwarding

    GET /api/v2/users/{userId}/station

    PUT /api/v2/users/{userId}/station/associatedstation/{stationId}

    DELETE /api/v2/stations/{stationId}/associateduser

    DELETE /api/v2/users/{userId}/station/associatedstation

    New Endpoints

    GET /api/v2/users/stations/me

    PUT /api/v2/users/stations/me/associatedstation/{stationId}

    DELETE /api/v2/users/stations/me/associatedstation

    Issue References

    [PURE-6104]

    Contacts

    @Daniel Meyer  

    Please reply to this announcement with any questions. This helps the wider developer community benefit from the discussion. We encourage you to use this thread before contacting the designated person directly. Thank you for your understanding.



Related Content