MichaelG.50941 (Customer) asked a question.
Hello, I am developing an app that fetches a list of application OAuth 2.0 grants using the "/apps/{id}/grants" endpoint. I am always getting the error 403 (Forbidden) from the API, even though I assigned this app the "okta.appGrants.read" grant, the built-in "Read-only Administrator" role, and a custom role assigned the "View roles, resources, and admin assignments" permission over a resource set containing "All Identity and Access Management resources".
Not even the built-in App Admin role seems to be sufficient. The issue only disappears if I assign the app the Super Admin role, but this is IMO an overkill for read-only operations and violates the principle of least privilege.
Is there please a viable way of delegating the permission to read application grants, without assigning the app the Super Admin role?
Hello @MichaelG.50941 (Customer) , thank you for contacting Okta Community!
I've reviewed our documentation for something relevant. It looks like your question is more appropriate for our dedicated Okta Developer Forum. I advise reaching out via devforum.okta.com as they will have more insight into this topic.
While we'll do our best to answer your questions here, this medium is more inclined towards Okta's core products and features (non-developer work).
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
THX. I will ask, but to me this seems like a gap/bug in the current RBAC model design.