Comment on page
API Permissions for Integrations
This page outlines the API permissions required by an Integration for enabling features within Oort
- Azure AD
- Duo
- Okta
- Auth0
- Google (G-Suite)
- Salesforce
This section contains a summary of the API permissions for Oort integrations and the purpose for which the connection is used
This section covers the API permissions for the following Microsoft Azure APIs:
Name | Description | Purpose |
|---|---|---|
AuditLog.Read.All | Read all audit log data | Read user activity from the Audit Log |
Directory.Read.All | Read directory data | |
Group.Read.All | Read all groups | |
GroupMember.Read.All | Read all group memberships | Get a list of user's group memberships |
Reports.Read.All | Read all usage reports | Find a manager's end user direct reports |
User.Read.All | Read all users' full profiles | |
Policy.Read.All | Read your organization's policies | Get a list of policies and named locations |
IdentityRiskyUser.Read.All | Read your organization's risky users | Get a list of users marked as Risky by Azure |
IdentityRiskEvent.Read.All | Read your organization's risky user events | Read details on events associated with Risky user activities |
UserAuthenticationMethod.Read.All | Read user auth methods | Read user authentication methods that are available |
Name | Description |
|---|---|
DeviceManagementApps.Read.All | Read Microsoft InTune apps |
DeviceManagementConfiguration.Read.All | Read Microsoft InTune device configuration and policies |
DeviceManagementManagedDevices.Read.All | Read Microsoft InTune devices |
These API permissions allow updates to be made directly from Oort to Azure AD
Name | Remediation Type |
|---|---|
User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All | Update User Type |
User.ReadWrite.All, Directory.ReadWrite.All | User Log out |
UserAuthenticationMethod.ReadWrite.All | Factors Reset (TBD) |
Name | Description | Purpose |
|---|---|---|
Grant read log | Permit Admin API application to read logs | Read the Duo event log |
Grant read resource | Permit Admin API application to read resources such as users, phones, and hardware token | Get a list of users and devices |
These API permissions allow updates to be made directly from Oort to Duo
Name | Remediation Type |
|---|---|
Grant write resource | Reset Factors |
API | HTTP Operation |
|---|---|
/api/v1/* | READ |
As we require the minimal set of privileges, the custom admin role must be created in order to support remediations in Oort (ref to
Oort Help Desk Admin role in https://oortpreview-admin.oktapreview.com):
Add a "Machine to Machine" application (
Applications --> Applications) should be configured in Auth0 (via a configured API (Applications --> APIs) with the following scope permissions:Scope | Description | Purpose |
|---|---|---|
read:users | Read Users | Get a list of Users |
read:logs | Read Logs | Read Auth0 Event logs |
read:user_logs | Read logs relating to users | Read Auth0 User logs |
read:guardian_factors | Read Guardian factors configuration | Get a list of Users and Authenticator configurations |
Scope | Description |
|---|---|
https://www.googleapis.com/auth/admin.directory.group.member.readonly | groups membership |
https://www.googleapis.com/auth/admin.directory.group.readonly | groups |
https://www.googleapis.com/auth/admin.directory.user.readonly | users |
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly | rolemanagement |
https://www.googleapis.com/auth/admin.directory.orgunit.readonly | devices |
https://www.googleapis.com/auth/admin.directory.audit.readonly | audit logs |
These API permissions allow updates to be made directly from Oort to G-Suite
| https://www.googleapis.com/auth/admin.directory.user.security | audit logs |
Scope | Description | Purpose |
|---|---|---|
Manage user data via APIs (api) | Allows access to the current account using APIs, such as REST API and Bulk API 2.0 | Collect user data |
Last modified 7mo ago