Applying genesyscloud_quality_evaluation resource fails with HTTP 403 Forbidden. Error response indicates insufficient_permissions despite the service account having admin:quality and admin:quality:evaluation scopes.
resource “genesyscloud_quality_evaluation” “test” {
name = “QA Test”
…
}
Is there a specific role binding missing for programmatic assignment of evaluations to agents via the API?
The 403 error usually stems from role hierarchy rather than API scope alone. Having admin:quality allows viewing, but assigning evaluations often requires explicit write permissions at the user level. Check if the service account has the admin:quality:evaluation:write permission specifically. The admin:quality:evaluation scope might only cover read operations depending on the provider version.
Also, verify the target agent’s role. If the agent is in a restricted group, the system might block assignment regardless of the service account’s power. Try adding the service account to a custom role that includes quality:evaluation:assign and user:manage. Terraform state sometimes caches permission checks, so force a refresh after role updates. This misalignment is common when moving from manual UI config to IaC. The WFM side doesn’t interfere here, but keep an eye on concurrent API calls if this is part of a larger schedule deployment.