Developing an AppFoundry integration that needs to sync conversation metadata to a third-party BI platform. We’re using the Client Credentials grant for our background service.
I’ve granted the analytics:conversationDetail:view and conversations:view scopes to the OAuth client. However, when my service tries to fetch conversation details for calls that were handled in a different Division (we use Divisions heavily for multi-tenancy), I’m getting a 403 Forbidden.
The OAuth client is created in the ‘Home’ division. Does the Client Credentials client need to be explicitly added to every Division, or is there a way to grant it ‘Cross-Division’ visibility for analytics purposes? It’s a bit of a nightmare to manage if we have to update the client every time the customer adds a new Division.
Client Credentials clients are indeed Division-aware! If your client isn’t in the Division where the conversation occurred, it won’t see the data.
The ‘best practice’ for AppFoundry partners is to ensure the customer assigns the OAuth client a Role that has the ‘Division: All’ permission selected. When you’re in the ‘Roles’ configuration, check the permissions for Analytics. You’ll see a dropdown for Divisions. Selecting ‘All’ instead of a specific Division will allow that Client ID to see conversations across the entire Org.
Be careful with that ‘All’ permission though. If your app is multi-tenant and you’re using a single Client ID for all customers (which you shouldn’t be, but I’ve seen it), that’s a security risk. But for a per-org install, the ‘All Divisions’ role is the only way to avoid the constant patching of the client.
Also, if you’re using the Analytics API, remember that there’s a slight delay (sometimes up to 60 seconds) between a conversation ending and the detail record being fully populated with all segments. If your sync service is too fast, you’ll get incomplete data even with the right permissions.
Just to add the GDPR/compliance angle: if your app is syncing data cross-divisionally, ensure that your audit logs reflect why that data is being accessed. If you’re in a German org, for example, accessing data from a Division the app isn’t explicitly ‘in’ might trigger a red flag for the data privacy officer. Always document the scope of the ‘All Divisions’ role in your AppFoundry install guide.