Hello. I am an IVR designer and I build flows for many different clients. I am currently helping a client set up a third-party analytics tool that needs to pull data from their Genesys Cloud organization. I am worried about giving the tool too much access. What is the best practice for creating an OAuth2 client with the absolute minimum scopes required for an analytics tool? I do not want to give them ‘Admin’ rights if they only need to read interaction data?
I am a chatbot developer and I hate how broad the default scopes are. For an analytics tool, you should only give them the analytics:readonly and conversation:readonly scopes. Avoid using the * wildcard at all costs! Also, make sure you use the ‘Client Credentials’ grant type for these types of server-to-server integrations. It is much more secure than using an agent’s credentials.
I agree with Tar55. I also build flows for multiple clients and I always recommend creating a dedicated ‘Analytics’ role within Genesys Cloud. You then assign that role to the OAuth client. This allows you to restrict the tool’s access to specific divisions or queues. It is the only way to ensure that they are not seeing data that they should not have access to. I have seen too many people just give ‘Master Admin’ to every API key!