question

Uri Sevilla avatar image
Uri Sevilla asked ·

Authenticate as "root"

Hi. I am following https://developers.ringcentral.com/guide/authentication/tokens

Trying to build app that will manipulate address books for all users in the company.

I am able to auth and get a token both in Sandbox and Prod.

But according to the page above, I need to supply

  • a username
  • an extension
  • a password


If I supply the above for my user (I'm admin), I'm able to manage my address book, but when accessing another extension's, I get:

"In order to call this API endpoint for another extension, user needs to have [ReadPersonalContacts] permission granted with extended scope"


Questions:

  1. What's the best approach to have my App auth, without using someone's personal credentials? Create another extension just for the API (that will incur cost)?
  2. How to resolve the above error? what is "extended scope"?


thanks


authenticationpermissionsapi-auth
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Phong Vu avatar image
Phong Vu answered ·

The error is missed leading. It should be "not allowed" or "no permission". Even you login as a super admin, you still cannot read personal contacts of other extensions. I think we had a plan to support that but there might be some privacy protection regulation which stops us from implementing the feature.

1 comment Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Hi Phong.

Just to update you a bit - the point that the limitation is due to some "privacy protection" falls short (and is maybe a poor excuse at best).

Here are at least 2 facts that prove this:

  1. From the Admin panel an admin can change a user's password (no, you were wrong on the call - it does not send them an email - I can set the password right from the UI). Then an admin can access any information using their account.
  2. From the Admin (AND from the API) - I can access any recording. We have all calls recorded by default.


However, as you mentioned:

"I think we had a plan to support that"

If that ever materializes, I'll be glad to know.


0 Likes 0 · ·
Uri Sevilla avatar image
Uri Sevilla answered ·

Thanks. so what are my options to create an app that will sync each user's address book with our own data?


Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Transcend Dev avatar image
Transcend Dev answered ·

Hi Phong, thanks for your response, this confirms what I was able to do testing your API.


Unfortunately, my company finds that this limitation makes it nearly impossible for org's using RC to comply with privacy regulations since each user of RC in an org will have a separately managed contact list. We need a way for just the privacy/compliance people to "globablly delete" contact information -- but there is no scope we can give that allows them the ability to see other users' contacts.


Please help!

1 comment Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

I think we're out of luck. This has been escalated to RC "Dev Support", and the answer I got was "this is a limitation in RC API".

Their suggestions:

1. Either make my App a Desktop/Windows app (and each user will auth themselves) - not possible: I need to create a service that will sync info in the background

2. Or, have the App sign in as each user using their own personal password (?!?!? all users will have to share their passwords with my app maintainer? and never change it in the future?)


This is ridiculous and I never encountered such limitations in so many other API systems I worked with. There needs to be a "root" account, that should be allowed to make such changes. Period.



0 Likes 0 · ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.