Problem
Pulling historical ADHERENCE metrics for the night shift via the WEM analytics endpoint keeps failing. The compliance team flagged a gap in the reporting logs, so the export needs a clean CSV dump for the last quarter. The service account holds the right ROLE assignments on paper, but the platform blocks the query when specific QUEUE filters get applied. It’s doing jack all when the payload stays generic, but add a QUEUE ID and it tanks immediately.
Configuration & Payload
Running this against the US-East tenant. The SECURITY PROFILE is locked down for PCI compliance, which usually isn’t a problem for read-only WEM calls. Sticking to the WEM terminology here since the CXone docs keep shifting names. Here’s the request structure:
{
"viewId": "wem-agent-adherence-v1",
"since": "2024-01-01T00:00:00Z",
"until": "2024-03-31T23:59:59Z",
"groupings": [
{
"type": "QUEUE"
}
],
"filters": [
{
"type": "QUEUE",
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
],
"metrics": [
{
"name": "ADHERENCE",
"type": "PERCENT"
},
{
"name": "SERVICE LEVEL",
"type": "PERCENT"
}
]
}
The OAUTH token refreshes fine. Scopes include wem:reports:read and analytics:reports:query.
Error
Console spits out a straight 403 Forbidden. The response body doesn’t give much away, just points to a missing RBAC permission on the requested QUEUE. Strangely, removing the QUEUE filter returns aggregate SERVICE LEVEL data without issue. The logs on the backend show the token is valid until 3600 seconds out. Looks like the compliance layer is intercepting the QUEUE grouping before the WEM engine even touches it.
Question
Is there a specific TENANT setting that forces QUEUE-level ADHERENCE queries through a stricter security gate? The documentation mentions a wem:analytics:queue:read scope, but adding that to the client credentials just breaks the token generation. The ROLE matrix was checked three times. The scheduler account has full visibility on the WEM dashboard UI, so the backend restriction feels disconnected from what the frontend allows. The token expiry is still showing 3590 seconds.