How to limit the resources a token can access

Hi All,

We’re working on enabling our internal customers to start jobs in our cloud orchestrator. To test this, we set up an external app and confirmed that we can successfully run jobs using its credentials to obtain a token and trigger the job.

However, it looks like those credentials require admin access to generate the token. Our goal is to provide these credentials to customers so they can generate their own tokens and run jobs as needed—but giving them admin-level access is too permissive.

Is there a way to allow external app credentials to request an access token without needing admin privileges?

Hi @Giraldo_Juan_P

Could you please show the scopes that you have selected at the moment in your external application registration?

For starting a job, jobs level permission should be enough.

I don’t think you require admin level permissions for same.

To find out minimum level permissions, create new external application and provide scope like below
Or.jobs
Or.jobs.write
Or.jobs.read

And then try to generate the token using these scopes and start a job. Does it let you start the job?

If not, I think it will show the error message in what other scopes are required for same. You might need Or.machines or Or.robots

But best is to create registration like I mentioned and then find out the minimum level of permissions required to run a Job. That should help you.

hi @sonaliaggarwal47

We tried that before the error message only states Failed to retrieve token: {“error”:“invalid_scope”}. As I add permission, it only worked when I add admin access.

But as per your comment I tried and now it worked without admin access today!

thank you.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.