Terraform CXone Provider: Scoping OAuth Client to Specific Divisions for Multi-Tenant BPO Access

NICE CXone API & Integrations
1

Hey everyone,

I’m running into a wall with the nice_cxone_oauth_client resource in the latest Terraform provider. We’re setting up a new multi-tenant BPO environment, and the goal is to create an OAuth client that can only access specific divisions (let’s say Division A and Division B) without touching the master org data.

The provider docs mention a divisions attribute, but it’s not super clear on the exact format or if it’s even fully implemented for client creation. I’ve tried passing an array of division IDs, but the plan fails with a weird validation error about expected types.

Here’s what I’ve got so far:

resource "nice_cxone_oauth_client" "bpo_client" {
 name = "BPO Access Client"
 description = "Scoped client for Division A and B"
 client_type = "confidential"
 grant_types = ["client_credentials"]
 
 # This is where it gets fuzzy
 divisions = [
 "12345-67890-abcde-12345",
 "67890-12345-fghij-67890"
 ]
}

When I run terraform plan, I get this:

Error: expected divisions to be one of [string list], got map[string]interface{}

I’ve also tried calling the underlying API directly via Postman to see if the Terraform provider is just lagging behind. I hit POST /api/v2/oauth/clients with a JSON payload:

{
 "name": "Test BPO Client",
 "clientType": "confidential",
 "grantTypes": ["client_credentials"],
 "divisions": ["12345-67890-abcde-12345"]
}

The API returns a 201 Created, but when I look at the client in the admin portal, it doesn’t seem to be scoped. It still shows as having access to all divisions. If I try to use the client credentials flow to get a token, it works fine, but the token seems to have full org access.

Is the divisions field in the API just for metadata, or is there a separate step to enforce scoping? Maybe I need to assign a specific role that’s tied to those divisions?

Any code snippets or Terraform configs that actually work would be huge. I don’t want to accidentally give our BPO partners access to our internal reporting data.

Also, if there’s a way to verify the scope via the token introspection endpoint /api/v2/oauth/token/introspect, that would be ideal. I can’t find a clear example of what the scope claim looks like for a division-scoped client.

Thanks in advance.