Trying to lock down a service account to specific divisions for a BPO setup. The docs say you can pass division_ids in the client creation payload, but it seems to just get ignored or defaults to all divisions. Here’s the JSON I’m sending to /api/v2/oauth/clients:
{
"name": "BPO-Service-Account",
"client_type": "confidential",
"grant_types": ["client_credentials"],
"division_ids": ["div-abc-123", "div-xyz-789"]
}
The client gets created, but when I grab a token and hit /api/v2/users, I get users from divisions I didn’t specify. Is there a flag I’m missing on the client resource itself, or do I have to handle this filtering on my side?