API Permissions for Integrations
This page outlines the API permissions required by an Integration for enabling features within Oort
Overview
This page contains API details for the following Integrations:
Azure AD
Duo
Okta
Auth0
Google (G-Suite)
Salesforce
Integrations
This section contains a summary of the API permissions for Oort integrations and the purpose for which the connection is used
Azure AD
This section covers the API permissions for the following Microsoft Azure APIs:
MS Graph API - Application Permissions
| Name | Description | Purpose |
|---|---|---|
| Read all audit log data | Read user activity from the Audit Log |
| Read directory data | |
| Read all groups | |
| Read all group memberships | Get a list of user's group memberships |
| Read all usage reports | Find a manager's end user direct reports |
| Read all users' full profiles | |
| Read your organization's policies | Get a list of policies and named locations |
| Read your organization's risky users | Get a list of users marked as |
| Read your organization's risky user events | Read details on events associated with |
| Read user auth methods | Read user authentication methods that are available |
MS Graph API - InTune Devices
| Name | Description |
|---|---|
| Read Microsoft InTune apps |
| Read Microsoft InTune device configuration and policies |
| Read Microsoft InTune devices |
MS Graph API - Permissions for Remediation Actions
These API permissions allow updates to be made directly from Oort to Azure AD
| Name | Remediation Type |
|---|---|
| Update User Type |
| User Log out |
| Factors Reset (TBD) |
Duo
Duo Admin API with the following permissions are required for Duo integration instances:
| Name | Description | Purpose |
|---|---|---|
Grant read log | Permit Admin API application to read logs | Read the Duo event log |
Grant read resource | Permit Admin API application to read resources such as users, phones, and hardware token | Get a list of users and devices |
The following permissions are required for Remediation Actions:
These API permissions allow updates to be made directly from Oort to Duo
| Name | Remediation Type |
|---|---|
Grant write resource | Reset Factors |
Okta SSWS API Token Scopes
| API | HTTP Operation |
|---|---|
| READ |
As we require the minimal set of privileges, the custom admin role must be created in order to support remediations in Oort (ref to Oort Help Desk Admin role in https://oortpreview-admin.oktapreview.com):
Auth0 API Permissions
In Auth0 Management API:
Add a "Machine to Machine" application (Applications --> Applications) should be configured in Auth0 (via a configured API (Applications --> APIs) with the following scope permissions:
| Scope | Description | Purpose |
|---|---|---|
| Read Users | Get a list of Users |
| Read Logs | Read Auth0 Event logs |
| Read logs relating to users | Read Auth0 User logs |
| Read Guardian factors configuration | Get a list of Users and Authenticator configurations |
G-Suite Connected App Permissions
| Scope | Description |
|---|---|
| groups membership |
| groups |
| users |
| rolemanagement |
| devices |
| audit logs |
The following permissions are required for Remediation Actions:
These API permissions allow updates to be made directly from Oort to G-Suite
| https://www.googleapis.com/auth/admin.directory.user.security | audit logs |
Salesforce Connected App Permissions
| Scope | Description | Purpose |
|---|---|---|
Manage user data via APIs (api) | Allows access to the current account using APIs, such as REST API and Bulk API 2.0 | Collect user data |
Last updated
