We do not see the granular scopes expected within the developer console.
In particular, we’re looking to enable the following: recording:read:admin,recording:read user:read:list_recordings,user:read:list_recordings:admin,user:read:list_recordings:master
What setting on the Admin side needs to be enabled for this to appear on the developer console side? (I’ve found other posts about this in the forum, but none that show the solution, thanks.)
FWIW, enabling the scopes that seem correct (cloud_recording:read:list_recording_files:admin,cloud_recording:read:list_account_recordings:admin,cloud_recording:read:recording:admin, cloud_recording:read:list_user_recordings:admin) is sufficient for listing and retrieving recordings for some user accounts but leads to 4711 errors when attempting to access other user accounts (Invalid access token, does not contain scopes:[ cloud_recording:read:list_user_recordings, cloud_recording:read:list_user_recordings:admin ]) . This seems like a bug?
Hi @gianni.zoom I see that you responded to a couple of other posts regarding granular scope and I am hoping that you could take a look at our issue as well!
As I am myself struggling with recording deletion issues in a production setup, and have the scopes you mention in our configs, I dug a little, and here’s my understanding on the situation.
The recording:read:admin and alike are part of the Classic/old scopes, and aren’t available anymore if you recently (i.e. past March 2024) created an app in the Marketplace/Dev console. I checked and tested in our account:
App configs that pre-date the Granular scopes only list the Classic ones
New apps only offer the Granular scopes
But it would appear that Zoom has not updated its API documentation to those new Granular scopes. So we’re stuck with doc that only mentions “Classic” scopes, and an app config that only shows “Granular” ones. As your post shows, that certainly isn’t helping.
Edit: Actually, some endpoints mention scope+granular, and others only have the (old) scopes… On top of that, the “Granular scopes” doc only gives a partial list of available new scopes.
As @ch-a3n points out, you may want to try, browse and select scopes based on what you’re looking to achieve, as the ones I’ve looked at seem rather self-explainatory.
Hi @ch-a3n , are those users external to your account?
What app-type are you using and when was it created?
Is it an internal app (server-to-server), unlisted (approved for access to external accounts but not on the marketplace), or published app (approved for access to external accounts and on the marketplace)?
This an internal server to server oauth account and the users we receive permission errors are internal users. They are not in a different subaccount either.
To your response on @rita.curti’s question, the scopes she listed are on the scopes supplied by the api documentation: /docs/api/rest/reference/zoom-api/methods/#operation/recordingsList
We are use a newer application that requires the granular scopes, but we are unable to find the appropriate scopes in the admin panel.
To sum up:
We receive a permission error when accessing attempting to read recordings from some users in our account. This permission error occurs when I supply a token with the scopes: cloud_recording:read:list_recording_files:admin ,cloud_recording:read:list_account_recordings:admin ,cloud_recording:read:recording:admin , cloud_recording:read:list_user_recordings:admin
In our attempt to fix errors, we attempted to enable the scopes listed in the error message ( (Invalid access token, does not contain scopes:[ cloud_recording:read:list_user_recordings, cloud_recording:read:list_user_recordings:admin ] ) AND the scopes listed in the API documentation. cloud_recording:read:list_user_recordings:admin was already enabled and we could not find cloud_recording:read:list_user_recordings presumably because this is an account scoped app vs a user scoped app. We also could not find any of the scopes listed in the API documentation.
This leads me to two conclusions:
The API documentation is outdated
There is likely a bug that is blocking us from accessing specific users’ recordings
@ch-a3n can you let me know when was the app created? was it created after March 30th? Also, your server to server OAuth app will show you admin scopes since its an admin level app. But I agree with you that we need to fix this in our documentation and we will work with the correct team.
Hey @ch-a3n@it_epsn@rita.curti@kara.enomoto I created a new S2S OAuth app with master sub account structure and all permissions enabled and was able to reproduce what you’re describing. I opened a ticket (ZSEE-131411) for this fix.
Apparently our documentation for the error was incorrect and the missing granular scope is cloud_recording:read:list_user_recordings: admin. I’m waiting to hear clarification on if the error code will also be updated for the endpoint to confirm if it is working for you now.
Hi @Manuel2 , can you please clarify if you added cloud_recording:read:list_user_recordings: admin with correct user permissions/role enabled? Asking for clarity since you were not a part of the original correspondence.