No idea why this is happening, my OAuth client configuration is not respecting division-level restrictions when attempting to isolate access for a multi-tenant BPO environment.
We are building a Salesforce integration that requires strict data isolation. Each client in our BPO operates within their own Genesys Cloud division. The requirement is that a specific OAuth client, used by our middleware, should only be able to read/write resources within the assigned division, not others.
I have configured the client in the Admin console with specific Division Scopes. However, when I generate a token and attempt to call the /api/v2/users endpoint, I can still see users from other divisions if the token is used with an admin-level user context, or the request fails with a 403 Forbidden if the user lacks cross-division permissions.
Here is my current configuration payload sent to the /api/v2/oauth/clients endpoint:
name: "BPO-Client-Isolated"
client_type: "confidential"
grant_type: "client_credentials"
scopes:
- "user:read"
- "user:write"
divisions:
- id: "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
name: "Client-A-Division"
allowed_origins:
- "https://middleware.bpo.com"
When I use the resulting access token to fetch user details, the response includes users from Client-B-Division if the authenticated user is a super-admin. I expected the Division Scope to hard-filter the results at the API layer, regardless of the user’s inherent permissions.
Is there a specific flag or additional scope required to enforce division isolation at the OAuth level? Or am I misunderstanding how Division Scopes interact with user permissions in the Genesys Cloud API? I need a code-level solution to ensure no data leakage between tenants.