User based authentication system

SOLVE
Highlighted
Occasional Contributor

I can see that only super admin is able to authorize Oauth App and hence access token is generated. After succesfully generating token, the app can be seen in connected apps section.

After that, if I create any new user, I can see that oAuth app is already present in connected apps section for that user. It signifies that the token is valid at an account level.

Since, different users can have different permissions set associated with them, I would like to know that, if a particular user would like to access a functionality of HubSpot Crm via an external App integrated within HubSpot, how can we prevent that user to access CRM functionalities (say contact record update) which are not allowed for him using an API?

Since, we have accessToken for Super Admin user ( full permission ) only, we don't have any option other than to provide the same token in API request, and that will be incorrect. 

Please explain.

Reply
0 Upvotes
1 Accepted solution

Accepted Solutions
HubSpot Moderator

Hi @somdutt 


Unfortunately not, our 2 methods of authentication do not go as far as user-level permissions. 

 

Requests are made by either using an API Key which is specific to a Portal or via an Access Token generated as part of an OAuth handshake for an integrating app. 

 

My colleague, Derek, touches on this point in another thread which can be seen here: https://community.hubspot.com/t5/APIs-Integrations/User-Permissions-API/td-p/226670 

 

Tl;dr is that we do not provide any means of refining API access via user-level permissions as there is no way to more granularly define 'user-level' scopes (i.e. User A can edit all contacts, but User B can only edit contacts they own).

 

I hope this helps!

Matthew Willson

HubSpot Developer Support
Reply
0 Upvotes
3 Replies 3
HubSpot Moderator

Hi @somdutt 

 

The process of authenticating Apps to your HubSpot Portal via OAuth as you stated, generates an Access and Refresh Token that grants the App access to your HubSpot content, specifically the content defined by the access scopes for the App itself. 

 

As these tokens are granting access to a portal, they do not drill down as far as user-level permissions and so this is something that cannot be controlled or restricted by the App, if the user is attempting to access HubSpot data externally. 

 

This level of managing permissions would be required to be handled outside of HubSpot within the integrating app itself. 

 

I hope this helps!

Matthew Willson

HubSpot Developer Support
Occasional Contributor

@Willson : Thanks for your reply. Is there any other mechanism by which I can restrict a CRM user to perform an API action for which he is not allowed ?

And if it has to be handled by integrating app only, is there any API using which we can retrieve CRM user permission, using any parameter ( say crm User id, considering it to be unique) ?

Reply
0 Upvotes
HubSpot Moderator

Hi @somdutt 


Unfortunately not, our 2 methods of authentication do not go as far as user-level permissions. 

 

Requests are made by either using an API Key which is specific to a Portal or via an Access Token generated as part of an OAuth handshake for an integrating app. 

 

My colleague, Derek, touches on this point in another thread which can be seen here: https://community.hubspot.com/t5/APIs-Integrations/User-Permissions-API/td-p/226670 

 

Tl;dr is that we do not provide any means of refining API access via user-level permissions as there is no way to more granularly define 'user-level' scopes (i.e. User A can edit all contacts, but User B can only edit contacts they own).

 

I hope this helps!

Matthew Willson

HubSpot Developer Support
Reply
0 Upvotes