Security updates for entitlements

Learn about new changes to entitlements.

Changes to the existing read OIDC client configuration entitlements

Users who have readOICD client configure entitlements are not able to view the client secret for the corresponding OIDC client.

The following list explains the entitlements that are changed.

  • readAppConfig cannot view the client secret for Applications and the Application API Access Client.
  • readSTSClients cannot view the client secret for the STS client.
  • readAPIClients cannot view the client secret for the API client.
  • readExternalAgents cannot view the client secret for the Identity agent.

New read OIDC client configuration and client secret entitlements

Users who have the read OIDC client configuration and client secret entitlement can view the client secret for the corresponding OIDC client.

The following list explains the entitlement changes

  • readAppConfigAndClientSecret can view the client secret for Applications and the Application API Access Client.
  • readSTSClientsAndClientSecret can view the client secret for the STS client.
  • readAPIClientsAndClientSecret can view the client secret for the API client.
  • readExternalAgentsAndClientSecret can view the client secret for the Identity agent.

There is no change to the existing manage OIDC entitlements

Users who have the manage OIDC client configuration entitlement can manage the corresponding OIDC client and view the client secret.

The following list explains the entitlement changes

  • manageAppAccessAdmin can manage Application and view the client secret for Applications and the Application API Access Client.
  • manageSTSClients can manage the STS client and view the client secret for the STS client.
  • manageAPIClients can manage the API client and the client secret for the API client.
  • manageExternalAgents can manage the Identity agent and the text client secret for the Identity agent.

Updates to ready-to-use roles

Tenant Administrator
The new entitlements that are added to this role are readAppConfigAndClientSecret, readSTSClientsAndClientSecret, readAPIClientsAndClientSecret, and readExternalAgentsAndClientSecret.
Helpdesk
The new entitlements that are added to this role are readAppConfigAndClientSecret and readExternalAgentsAndClientSecret. This role can continue to view the client secrets for Applications, the Application API Access Clients, and Identity Agents.
Readonly
The new entitlements that are added to this role are readAppConfigAndClientSecret, readSTSClientsAndClientSecret, readAPIClientsAndClientSecret, and readExternalAgentsAndClientSecret. This role can continue to view the client secrets for Applications, Application API Access Clients, STS Clients, API Clients, the Identity Agents.
PrivacyOfficer
The new entitlement added to this role is readAppConfigAndClientSecret so that it can continue to view the client secrets for Applications and the Application API Access Clients.

Notice for customers who are using custom administrator roles

Table 1. Entitlements to add to the custom administrator roles
Entitlement Description
readAppConfigAndClientSecret Add so the administrator can view the client secret for Applications and the Application API Access Client.
readSTSClientsAndClientSecret Add so the administrator can view the client secret for the STS client.
readAPIClientsAndClientSecret Add so the administrator can view the client secret for API client.
readExternalAgentsAndClientSecret Add the administrator can view the client secret for Identity agent.

API Changes

Table 2. Entitlements to add to the custom administrator roles
Entitlement Description
Application GET https://{tenanturl}/v1.0/applications/{applicationId}.
If you call this API with the readAppConfig entitlement it does not contain the clientSecret field.
  • This adds security to allow the read application configurations without seeing the clientSecret.
  • The customers currently using this API with only the readAppConfig entitlement can not see the clientSecret.
  • If a clientSecret is required, use the manageAppAccessAdmin or readAppConfigAndClientSecret entitlement to call this API.

If you call this API with the manageAppAccessAdmin or readAppConfigAndClientSecret the entitlement response contains the clientSecret.

STS Client
  1. GET https://{tenanturl}/oidc-mgmt/v1.0/sts/oauth/clients. If you call this API the response does not contain the clientSecret field.
    • This adds security to prevent displaying the STS clients' secrets in an API call.
    • The customers that use this API cannot see the clientSecret.
    • If the clientSecret is required, call the GET https://{tenanturl}/oidc-mgmt/v1.0/sts/oauth/clients/{clientId} API with the manageSTSClients or readSTSClientsAndClientSecret entitlement to get the client secret for a specific STS client.
  2. GET https://{tenanturl}/oidc-mgmt/v1.0/sts/oauth/clients/{clientId}.

    If you call this API with the readSTSClients entitlement response it does not contain the clientSecret field.

    • This adds security for the read STS client configurations without revealing the clientSecret.
    • The customers that use this API with readSTSClientscannot see the clientSecret.
    • If the clientSecret is required, use the manageSTSClients or the readSTSClientsAndClientSecret entitlement to call this API.

    If you call this API with the manageSTSClients or readSTSClientsAndClientSecretthe entitlement response contains the clientSecret.

API Client
  1. GET https://{tenanturl}/v1.0/apiclients

    If you call this API response it does not contain the clientSecret field.

    • This adds security to avoid displaying the API clients' client secret in an API call.
    • The customers that use this API cannot see the clientSecret.
    • If the clientSecret is required, call the GET https://{tenanturl}/v1.0/apiclients/{clientId} API with the manageAPIClients or readAPIClientsAndClientSecret entitlement to get the client secret for a specific API client.
  2. GET https://{tenanturl}/v1.0/apiclients/{clientId}

    If you call this API with readAPIClients it does not contain the clientSecret field.

    • This adds security for the read API client configurations without revealing the clientSecret.
    • The customers that use this API with only the readAPIClients entitlement cannot see the clientSecret.
    • If the clientSecret is required, use the manageAPIClients or the readAPIClientsAndClientSecret entitlement to call this API.

    If you call this API with the manageAPIClients or the readAPIClientsAndClientSecret entitlement it calls this API.

  3. GET https://{tenanturl}/v1.0/apiclients/{clientId}/credentials

    The readAPIClients entitlement cannot call this API.

    • This adds security for the read API client configurations without reveling the clientSecret.
    • The customers that use this API with only the readAPIClients entitlement cannot see the clientSecret.
    • If the clientSecret is required, use the manageAPIClients or the readAPIClientsAndClientSecret entitlement to call this API.

    The manageAPIClients or the readAPIClientsAndClientSecret entitlements are required to call this API.

Identity Agents
  1. GET https://{tenanturl}/config/v1.0/onpremagents/{id}/apicreds

    The readExternalAgents entitlement cannot call this API.

    • This adds security for the read Identity Agent client configurations without revealing the clientSecret.
    • The customers that use this API with the readExternalAgents entitlement cannot see the clientSecret.
    • If the clientSecret is required, use the manageExternalAgents or readExternalAgentsAndClientSecret entitlement to call this API.

    The entitlement manageExternalAgents or manageExternalAgentsAndClientSecret is required to call this API.