OAuth 2.0 scopes control the level of access an external system is granted when accessing information tied to the OneTrust platform. The necessary scopes for external systems will need to be defined when creating client credentials in the application. Once a client credential is created, an access token can be generated for the credential and used to authorize access to the respective APIs based on the requested scopes.
The Trust Intelligence Platform
Available Areas & Scopes
The following table details the scopes available within each area of the Trust Intelligence Platform, along with the corresponding descriptions.
| Area | OAuth Scope | Description |
|---|---|---|
| Access Management | ORGANIZATION | Grants full access to manage organizations. This includes Create, Read, Update and Delete operations. |
| USER | Grants full access to manage Users, User Groups, and User Group membership. This includes Create, Read, Update and Delete operations. | |
| Documents | ATTACHMENT | Grants access to view and manage attachments. |
| ATTACHMENT_READ | Grants access to view attachments. | |
| Integrations | INTEGRATION_JWKS | Integrations Scope for external systems to invoke to retrieve their public key information on the JWE Decryption Credential. |
| INTEGRATIONS | Integrations Scope for an external system to invoke Integration service API. | |
| Inventory | INVENTORY | Inventory scope grants read, write, and delete operations to the Inventory module. |
| INVENTORY_READ | Inventory Read scope grants read operations to the Inventory module. | |
| INVENTORY_WRITE | Inventory Write scope grants write operations to the Inventory module. | |
| SCIM User Provisioning | SCIM | Grants full access to the SCIM APIs for User Provisioning. This includes all the endpoints under Users, Groups, Resources, Schemas, and Service Provider. |
Scope to API Assignments
The following table details the APIs an external system will access when the corresponding scope is defined for the respective client credential.
| OAuth Scope | API |
|---|---|
| ATTACHMENT | POST /attachments/v2 |
| GET /attachment/v3/{fileId}/content | |
| ATTACHMENT_READ | GET /attachment/v3/{fileId}/content |
| ORGANIZATION | PUT /external/organizations/{externalId} |
| POST /external/organizations | |
| GET /external/organizations | |
| DELETE /external/organizations/{externalId} | |
| SCIM | PUT /Users/{id} |
| PUT /Groups/{groupId} | |
| POST /Users | |
| PATCH /Users/{id} | |
| PATCH /Groups/{groupId} | |
| GET /Users/{id} | |
| GET /Users | |
| GET /ServiceProviderConfig | |
| GET /Schemas/{schemaName} | |
| GET /ResourceTypes/{resourceName} | |
| GET /ResourceTypes | |
| GET /Groups/{groupId} | |
| GET /Groups | |
| DELETE /Users/{id} | |
| USER | PUT /user-groups/{userGroupId} |
| POST /user-groups/{userGroupId}/members | |
| POST /user-groups | |
| GET /user-groups/{userGroupId}/members | |
| GET /user-groups | |
| GET /login-history | |
| GET /api/audit/v1/users/{userId}/activities | |
| DELETE /user-groups/{userGroupId}/members | |
| DELETE /user-group/{userGroupId} |
Privacy & Data Governance Cloud
Available Modules & Scopes
The following table details the scopes available within each module of the Privacy & Data Governance Cloud, along with the corresponding descriptions.
| Module | OAuth Scope | Description |
|---|---|---|
| Consent & Preference Management | CONSENT | Consent gives users access to read/write/delete operations inside the Consent & Preference Management module. |
| CONSENT_READ | Consent Read allows users to read operations inside the Consent & Preference Management module. | |
| Cookie Consent | COOKIE | Cookie Scope allows the user to read/write operations inside the Cookie Consent module. |
| COOKIE_READ | Cookie Read gives the user read-only access to the Cookie Consent module. | |
| Data Catalog | DATA_CATALOG_READ | Grants Read access to Data Catalog operations for external systems. |
| DATA_CATALOG_WRITE | Grants Write access to Data Catalog operations for external systems. | |
| Data Discovery | DATA_DISCOVERY | This scope can be used to access Data Discovery actions for external systems which operate using on-premises accounts. |
| Incident Management | INCIDENT | Incident scope gives the user access to view and manages the incident details. |
| INCIDENT_CREATE | Create scope gives the user access to create an incident. | |
| INCIDENT_READ | Read scope gives the user access to view an incident and its details. | |
| PIA & DPIA Automation | ASSESSMENT | Read, write and delete templates and assessments. |
| ASSESSMENT_READ | Read the template and assessment information. | |
| Policy & Notice Management | POLICY | Policy scope for external systems. |
| Privacy Rights Automation | DSAR_READ | Grants read-only access to the Data Subject Access Requests module. This scope is only necessary to provide access to see request details without granting access to edit the request or its child objects. |
| DSAR_WRITE | Grants object creation and edit access to the Data Subject Access Requests module. This scope is only necessary to provide access to create or edit a request or related child objects such as subtasks, results, resolution codes, and verification methods. |
Scope to API Assignments
The following table details the APIs an external system will access when the corresponding scope is defined for the respective client credential.
| OAuth Scope | API |
|---|---|
| ASSESSMENT | PUT /v2/assessments/{assessmentId}/soft-delete |
| POST /v3/assessments/{assessmentId}/approve | |
| POST /v2/assessments/bulk | |
| POST /v2/assessments/{assessmentId}/submit | |
| POST /v2/assessments/{assessmentId}/responses | |
| POST /v2/assessments | |
| ASSESSMENT_READ | GET /v2/assessments/activities/types/assessmentdelete |
| GET /v2/assessments/{assessmentId}/export | |
| GET /v2/assessments | |
| GET /published-template-metadata | |
| CONSENT | PUT /v2/linkedidentitygroups/{linkedIdentityGroupId} |
| PUT /v1/transactions/withdraw/fordatasubject | |
| PUT /v1/purposes/{purposeId}/publish | |
| PUT /v1/purposes/{purposeId} | |
| PUT /v1/preferencecenters/{prefcenterId}/datasubjects/preferences | |
| PUT /v1/custompreferences/{customPreferenceId} | |
| PUT /v1/collectionpoints/{collectionpointId} | |
| POST /v2/linkedidentitygroups | |
| POST /v2/collectionpoints/{collectionPointGuid}/version | |
| POST /v1/purposes/{purposeGuid} | |
| POST /v1/purposes | |
| POST /v1/datasubjects/dataelements | |
| POST /v1/custompreferences | |
| POST /v1/collectionpoints | |
| DELETE /v2/linkedidentitygroups/{linkedIdentityGroupId} | |
| DELETE /v1/preferencecenters/{prefcenterId}/datasubjects/preferences | |
| CONSENT_READ | POST /v2/datasubjects/search |
| GET /v2/purposes/{purposeId} | |
| GET /v2/purposes | |
| GET /v2/preferencecenters | |
| GET /v2/linkedidentitygroups/{linkedIdentityGroupId} | |
| GET /v2/linkedidentitygroups | |
| GET /v2/datasubjects | |
| GET /v1/transactions/withdraw/purpose/{purposeId} | |
| GET /v1/receipts/{id} | |
| GET /v1/receipts | |
| GET /v1/receipt-list | |
| GET /v1/purposes/{purposeId}/datasubjects | |
| GET /v1/preferencecenters/{prefcenterId}/preferences | |
| GET /v1/preferencecenters/{prefcenterId}/datasubjects/preferences | |
| GET /v1/linktokens | |
| GET /v1/datasubjects/profiles | |
| GET /v1/custompreferences/{custompreferenceId} | |
| GET /v1/custompreferences | |
| GET /v1/collectionpoints/{collectionpointId}/token | |
| GET /v1/collectionpoints/{collectionpointGuid}/token | |
| GET /v1/collectionpoints | |
| COOKIE | POST /v1/request |
| GET /v1/script-integration/{domainId}/downloadscriptv2 | |
| GET /v1/report/cookie | |
| COOKIE_READ | GET /v1/script-integration/{domainId}/downloadscriptv2 |
| GET /v1/report/cookie | |
| DATA_CATALOG_READ | GET /v1/terms/names |
| GET /v1/terms/name/{termName} | |
| GET /v1/terms/attribute-names | |
| GET /v1/terms/attribute-details/{name} | |
| GET /v1/tags/names | |
| GET /v1/tags/details/{name} | |
| GET /v1/metadata/attribute-names | |
| GET /v1/metadata/attribute-details/{name} | |
| GET /v1/glossaries/name/{glossaryName} | |
| GET /v1/glossaries/all/names | |
| DATA_CATALOG_WRITE | No API Assignments |
| DATA_DISCOVERY | PUT /v3/system |
| PUT /v2/scan-profiles | |
| POST /v2/scan-profiles | |
| POST /v2/scan-job | |
| GET /v3/system/{id} | |
| GET /v3/system | |
| GET /v3/docker-repository-tags | |
| GET /v2/scanners/{scannerId}/jobs/{jobId} | |
| GET /v2/scan-profiles/{scanProfileId} | |
| GET /v2/scan-profiles | |
| GET /v2/scan-job/datasource/{dataSourceId} | |
| DELETE /v3/system/{id} | |
| DELETE /v2/scan-profiles/{scanProfileId} | |
| DSAR_READ | POST /requestqueues/search/{language} |
| GET /requestqueues/status/{requestTraceId} | |
| GET /requestqueues/{requestQueueRefId}/language/{language} | |
| GET /requestqueues/{language} | |
| DSAR_WRITE | PUT /requestqueues/{requestQueueRefId}/movestages/{language} |
| PUT /requestqueues/{requestQueueRefId}/customfields/{language} | |
| PUT /requestqueues/{requestQueueRefId}/comments | |
| POST /requestqueues/search/{language} | |
| POST /requestqueues/{templateId} | |
| GET /requestqueues/status/{requestTraceId} | |
| GET /requestqueues/{requestQueueRefId}/language/{language} | |
| GET /requestqueues/{language} | |
| INCIDENT | PUT /incidents/{incidentId} |
| POST/assignments/entities/{entityId}/stage | |
| POST /incidents/search | |
| POST /incidents | |
| GET /incidents/{incidentId} | |
| INCIDENT_CREATE | POST /incidents |
| INCIDENT_READ | POST /incidents/search |
| GET /incidents/{incidentId} | |
| POLICY | GET /v2/privacynotices/{privacyNoticeId}/versions |
| GET /v2/privacynotices/{id} | |
| GET /v2/privacynotices |
GRC & Security Assurance Cloud
Available Modules & Scopes
The following table details the scopes available within each module of the GRC & Security Assurance Cloud, along with the corresponding descriptions.
| Module | OAuth Scope | Description |
|---|---|---|
| Audit Management | AUDIT_MANAGEMENT | Scope gives users access to READ, WRITE, and DELETE operations used for Audit Management. |
| IT & Security Risk Management | CONTROL | Access to Control Implementation operations for external systems. |
| RISK | Access to RISK operations for external systems. | |
| ITRM | Access to ITRM operations for external systems. | |
| Third-Party Risk Management | VRM | VRM scope for read/write operations on VRM components. |
| VRM_READ | VRM read scope to view details of VRM components. |
Scope to API Assignments
The following table details the APIs an external system will access when the corresponding scope is defined for the respective client credential.
| OAuth Scope | API |
|---|---|
| AUDIT_MANAGEMENT | PUT /v1/audits/{auditId}/reassign-scopes |
| PUT /v1/audits/{auditId} | |
| PUT /v1/audit-workpapers/{workpaperId} | |
| POST /v1/audits/pages | |
| POST /v1/audits | |
| POST /v1/audit-workpapers/pages | |
| GET /v1/audits/{auditId} | |
| GET /v1/audit-workpapers/{workpaperId}/control-details | |
| GET /v1/audit-workpapers/{workpaperId}/attribute-details | |
| DELETE /v1/audits/{auditId} | |
| DELETE /v1/audit-scopes/{scopeId} | |
| CONTROL | PUT /controls/{controlId} |
| POST /vulnerabilities/pages | |
| POST /vulnerabilities | |
| POST /threats/pages | |
| POST /threats | |
| POST /links/bulk | |
| POST /entities/{entityId}/control-implementations/pages | |
| POST /controls/pages | |
| POST /controls | |
| POST /control-implementations/pages | |
| GET /control-implementations/{guid} | |
| DELETE /controls/{controlId} | |
| RISK | PUT /risks/{riskId}/submit |
| PUT /risks/{riskId}/send-back | |
| PUT /risks/{riskId}/request-exception | |
| PUT /risks/{riskId}/reopen | |
| PUT /risks/{riskId}/grant-exception | |
| PUT /risks/{riskId}/approve | |
| POST /risks | |
| GET /risk-settings/standard | |
| GET /risk-settings/matrix | |
| GET /risk-categories | |
| DELETE /risks/{riskId} | |
| VRM | PUT /api/vendor/v1/contracts/{contractId}/vendors/{vendorId}/contracts |
| POST /api/vendor/v1/contracts/vendors/{vendorId}/contracts | |
| POST /api/vendor/v1/contracts/add | |
| GET /api/vendor/v1/contracts/types | |
| GET /api/vendor/v1/contracts/schemas | |
| GET /api/vendor/v1/contracts/{contractId}/contracts | |
| VRM_READ | POST /api/vendor/v1/contracts/vendors/{vendorId}/contracts |
| GET /api/vendor/v1/contracts/types | |
| GET /api/vendor/v1/contracts/schemas | |
| GET /api/vendor/v1/contracts/{contractId}/contracts | |
| INTEGRATION_JWKS | POST /integrationmanager/api/v1/credentials/key/{credentialId} |
| INTEGRATIONS | PUT /credentials/{type} |
| POST /workflows/import | |
| POST /integrationmanager/api/v1/webhook/{webhookId} | |
| POST /credentials/{type} | |
| GET /workflows/export | |
| INVENTORY | PUT /inventories/{type}/{id} |
| POST /inventories/{type} | |
| GET/inventories/{type}/{id} | |
| DELETE /inventories/{type}/{id} | |
| INVENTORY_READ | GET /inventories/{type}/{id} |
| INVENTORY_WRITE | PUT /inventories/{type}/{id} |
| ITRM | POST /vulnerabilities |
| POST /threats |
OAuth Errors
OAuth scopes control the level of access an external system is granted when accessing information tied to the OneTrust platform. If you receive a 403 Forbidden response like the one below, then verify that you have requested the correct scope that maps to the requested API endpoint. The least privileged permissions that we recommend are provided above in the Scope to API Assignments sections.
{
"errors": [
{
"title": "You are not authorized to access this resource.",
"detail": "You are not authorized to access this resource.",
"code": "ERROR_ACCESS-MANAGEMENT-ASSERTIONS_ACCESS_VIOLATION"
}
],
"traceId": "cbb08e92-b95d-4d99-a46d-1ce4bf26e4ab"
}