Unable to assign PAT token scopes for Launchers

I would like to assign permissions to a PAT token to read launcher information via this API:

On the page above, it mentions you can use scopes ‘sp:launcher-admin:read’ or ‘sp:launcher-user:read’ to call this endpoint, but it’s not possible to add either of these scopes to a PAT token, they just aren’t there.

Also, it’s not possible to create a User Level that includes this access.

Are these scopes not implemented yet?

Or is there another way to grant these to my PAT token?

PS. the API call works if I give it full access via sp:scopes:all and am an admin, but if you aren’t, you get a 500 response from the API, not a 403 (forbidden).

It feels like this endpoint isn’t fully implemented yet.

Yeah, I think you’re right. I’m seeing the same thing on my side too.

The docs mention the sp:launcher-admin:read and sp:launcher-user:read scopes, but they just don’t show up anywhere when creating a PAT. I also tried checking via User Levels, and there’s no way to include those permissions there either.

Right now, the only way I’ve been able to get the API working is by using sp:scopes:all with an admin account. If I try with anything more restricted, I either can’t assign the scope at all or I get a 500 error instead of a proper 403.

So it definitely feels like either the scopes haven’t been fully implemented yet, or the documentation got ahead of what’s actually available in the product.

Out of curiosity, are either of you testing this in a sandbox tenant/environment?

I am testing in sandbox , why ?

Just curious, the newer features get implemented in sandbox first, so I just wanted to know how ahead of the documentation you were :rofl:

Thanks for the reply.

Yes, it works fine for me with sp:scopes:all and an admin account, but I need a non-admin account to access launcher definitions to analyse them.

I am testing in our Sandbox environment.

I will raise a bug with Customer Support to get it in the queue.

Thanks,

Correct, this is not a tenant configuration issue.

It is :

  • incomplete feature rollout
  • Defect in Launcher API authorization model

We also have the same requirement. Have raised Sailpoint ticket