Comment on page

API Permissions for Integrations

This page outlines the API permissions required by an Integration for enabling features within Oort

Overview

This page contains API details for the following Integrations:
  • Azure AD
  • Duo
  • Okta
  • Auth0
  • Google (G-Suite)
  • Salesforce

Integrations

This section contains a summary of the API permissions for Oort integrations and the purpose for which the connection is used

Azure AD

This section covers the API permissions for the following Microsoft Azure APIs:

MS Graph API - Application Permissions

Name
Description
Purpose
AuditLog.Read.All
Read all audit log data
Read user activity from the Audit Log
Directory.Read.All
Read directory data
Group.Read.All
Read all groups
GroupMember.Read.All
Read all group memberships
Get a list of user's group memberships
Reports.Read.All
Read all usage reports
Find a manager's end user direct reports
User.Read.All
Read all users' full profiles
Policy.Read.All
Read your organization's policies
Get a list of policies and named locations
IdentityRiskyUser.Read.All
Read your organization's risky users
Get a list of users marked as Risky by Azure
IdentityRiskEvent.Read.All
Read your organization's risky user events
Read details on events associated with Risky user activities
UserAuthenticationMethod.Read.All
Read user auth methods
Read user authentication methods that are available

MS Graph API - InTune Devices

Name
Description
DeviceManagementApps.Read.All
Read Microsoft InTune apps
DeviceManagementConfiguration.Read.All
Read Microsoft InTune device configuration and policies
DeviceManagementManagedDevices.Read.All
Read Microsoft InTune devices

MS Graph API - Permissions for Remediation Actions

These API permissions allow updates to be made directly from Oort to Azure AD
Name
Remediation Type
User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All
Update User Type
User.ReadWrite.All, Directory.ReadWrite.All
User Log out
UserAuthenticationMethod.ReadWrite.All
Factors Reset (TBD)

Duo

Duo Admin API with the following permissions are required for Duo integration instances:
Name
Description
Purpose
Grant read log
Permit Admin API application to read logs
Read the Duo event log
Grant read resource
Permit Admin API application to read resources such as users, phones, and hardware token
Get a list of users and devices
The following permissions are required for Remediation Actions:
These API permissions allow updates to be made directly from Oort to Duo
Name
Remediation Type
Grant write resource
Reset Factors

Okta SSWS API Token Scopes

API
HTTP Operation
/api/v1/*
READ
As we require the minimal set of privileges, the custom admin role must be created in order to support remediations in Oort (ref to Oort Help Desk Admin role in https://oortpreview-admin.oktapreview.com):
Screenshot 2023-03-28 at 9 16 34
Screenshot 2023-03-28 at 9 16 49
Screenshot 2023-03-28 at 9 17 34

Auth0 API Permissions

In Auth0 Management API:
Add a "Machine to Machine" application (Applications --> Applications) should be configured in Auth0 (via a configured API (Applications --> APIs) with the following scope permissions:
Scope
Description
Purpose
read:users
Read Users
Get a list of Users
read:logs
Read Logs
Read Auth0 Event logs
read:user_logs
Read logs relating to users
Read Auth0 User logs
read:guardian_factors
Read Guardian factors configuration
Get a list of Users and Authenticator configurations

G-Suite Connected App Permissions

Scope
Description
https://www.googleapis.com/auth/admin.directory.group.member.readonly
groups membership
https://www.googleapis.com/auth/admin.directory.group.readonly
groups
https://www.googleapis.com/auth/admin.directory.user.readonly
users
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
rolemanagement
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
devices
https://www.googleapis.com/auth/admin.directory.audit.readonly
audit logs
The following permissions are required for Remediation Actions:
These API permissions allow updates to be made directly from Oort to G-Suite
| https://www.googleapis.com/auth/admin.directory.user.security | audit logs |

Salesforce Connected App Permissions

Scope
Description
Purpose
Manage user data via APIs (api)
Allows access to the current account using APIs, such as REST API and Bulk API 2.0
Collect user data