Required Permissions for given API calls

ts_fpatterson · March 15, 2024, 3:41pm

Is there a comprehensive document that helps outline what the minimum permissions are for each given API call? Are there plans to enhance the API documentation to indicate what minimum permission is needed?

Customer would prefer to limit the scope of permission for the service accounts that have a PAT used in postman or scripts to perform needed functionality.

Example:

AUTHORIZATION: OAUTH2
name: UserContextAuth
type: oauth2
scopes: sp:search:read
description: OAuth2 Bearer token (JWT) generated using either a Personal Access token or through the Authorization Code flow. 
See [IdentityNow REST API Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information.
- Directions for generating a [personal access token](https://developer.sailpoint.com/idn/api/authentication#personal-access-tokens)
- Directions using [client credentials flow](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow)
- Directions for using [authorization code flow](https://developer.sailpoint.com/idn/api/authentication#authorization-code-grant-flow)

Which authentication method should I choose?  See our [guide](https://developer.sailpoint.com/idn/api/authentication#which-oauth-20-grant-flow-should-i-use)

Learn more about how to find your `tokenUrl` and `authorizationUrl` [in our docs](https://developer.sailpoint.com/idn/api/authentication#find-your-tenants-oauth-details)
flows: {
  "clientCredentials": {
    "tokenUrl": "https://tenant.api.identitynow.com/oauth/token",
    "scopes": {
      "sp:scopes:default": "default scope",
      "sp:scopes:all": "access to all scopes"
    }
  },
  "authorizationCode": {
    "authorizationUrl": "https://tenant.login.sailpoint.com/oauth/authorize",
    "tokenUrl": "https://tenant.api.identitynow.com/oauth/token",
    "scopes": {
      "sp:scopes:default": "default scope",
      "sp:scopes:all": "access to all scopes"
    }
  }
}

This section of the API documentation doesn’t seem to be different for some other APIs I cross referenced. They seem to include sp:scopes:all and default.

What are the minimum permissions needed?

colin_mckibben · March 18, 2024, 12:52pm

Hi Fred. Please see this section in the authorization guide. It should answer your questions.

Topic		Replies	Views
API Authentication for service-desk-integrations ISC Discussion and Questions apis , identity-security-cloud	5	228	December 19, 2023
API Scope Missing ISC Discussion and Questions apis , identity-security-cloud	3	284	July 5, 2023
Create Oauth Clients with scopes via API REST ISC Discussion and Questions	8	2561	July 11, 2023
Error while Using oauth to generate authorization token for api ISC Discussion and Questions apis , identity-security-cloud	7	998	July 19, 2023
API Authorization Scope for Search API calls ISC Discussion and Questions apis , identity-security-cloud , search	2	370	August 9, 2023

Required Permissions for given API calls

Related Topics