What's a permissions for Cloudflare API token to get zero trust user list?

katopz · June 11, 2023, 6:52am

Refer to dashboard https://one.dash.cloudflare.com/XXX/team/users.
Call to https://dash.cloudflare.com/api/v4/accounts/XXX/access/users?per_page=50&page=1&offset=0
So I assume API is https://developers.cloudflare.com/api/operations/zero-trust-users-get-users
So I try set All accounts - Zero Trust:Read

But it’s not working so I try use Read all resources to see if it’s working.
And it work (with all permissions checked) so I uncheck one by one to see which one make it work.(pretty nightmare)

Finally I found that only one Account.Access: Audit Logs is need to make it work. (what?)
So here am I scratching my head and asking what going on here and is this expected?

TLDR;

I need Account.Access: Audit Logs token in Authorization: Bearer XXX to get user list and didn’t seem obvious to me (both permission name and how to figure this out).
Is that’s another easy way to determine which permission I need for each API?

I’ve some more API to call and the first one hit me really hard. Maybe someone can can explain me why.

Thanks

francois.lamboley · July 21, 2023, 3:56pm

Wow thank God someone actually went to the trouble. It was the same for me. Could not get the list of users w/o the Account.Access: Audit Logs scope…
I used the endpoint https://api.cloudflare.com/client/v4/accounts/:id/access/users