OAuth 2.0-Based Permissions for the Cloud Administration APIs
OAuth 2.0-Based Permissions for the Cloud Administration APIs
The Cloud Access Service (CAS) APIs now support OAuth 2.0, providing secure, token-based access to the Cloud Administration and Authentication APIs. OAuth 2.0 is an authorization framework that enables third-party applications to securely obtain limited access to services. OAuth helps protect these APIs, with each one requiring specific permissions for access. For information about OAuth clients and how to add an API client for Cloud Administration and Authentication APIs, see Manage OAuth API Clients.
Note: Your license may limit which permissions you can access. All ID Plus licenses include access to the APIs and permissions listed under the " Audit" group. To access the full set of permissions, you need to have the "Allow Admin API Key" license and any required add-ons, such as RSA Risk AI. For more information, please contact RSA Customer Support.
The following tables outline the OAuth2-based RSA API permissions for the Cloud Administration and Authentication APIs, respectively.
Cloud Administration API Permissions
| Group | API Name | Permission | Permission Description |
|---|---|---|---|
| Agent | MFA Agent Lookup REST API | rsa.agent.read | Retrieve Agent details |
| rsa.agent.cert | Agent Certificate Provisioning | ||
| Audit | Cloud Administration Event Log API | rsa.audit.admin | Retrieve admin event logs from the Cloud Access Service (CAS) (audit microservice) |
| Cloud Administration Retrieve Authentication Audit Logs API | rsa.audit.user | Retrieve RSA authentication audit logs | |
| Cloud Administration User Event Log API | rsa.audit.user | Retrieve RSA authentication audit and user event logs | |
| Authenticator | Cloud Administration Delete User Device API | rsa.authenticator.mobile.delete | Delete a device for individual users |
| Cloud Administration Authenticator Details API Version 1 | rsa.authenticator.mobile.read | Retrieve device details for individual users | |
| Cloud Administration Authenticator Details API Version 2 | rsa.authenticator.mobile.read | Retrieve RSA user event logs | |
| Cloud Administration Retrieve Device Registration Code API | rsa.authenticator.mobile.manage | Generate a code for users to register their iOS, Android, and Windows devices | |
| Cloud Administration Delete User Device API | rsa.authenticator.device.delete | Delete devices for individual users | |
| Cloud Administration Enable Emergency Tokencode API Version 1 | rsa.authenticator.emergency.manage | Enable/disable Emergency Token code for a user | |
| Cloud Administration Disable Emergency Tokencode API | rsa.authenticator.emergency.manage | Enable/disable Emergency Token code for a user | |
| Cloud Administration FIDO Authenticator API | rsa.authenticator.fido.read | Retrieve FIDO authenticator(s) assigned to a user | |
| rsa.authenticator.fido.delete | Delete FIDO authenticator assigned to a user | ||
| Cloud Administration Enable FIDO Authenticator API | rsa.authenticator.fido.manage | Update, enroll, enable, and disable FIDO authenticators | |
| Cloud Administration Disable FIDO Authenticator API | rsa.authenticator.fido.manage | Update, enroll, enable, and disable FIDO authenticators | |
| Cloud Administration Retrieve Hardware Token Details API | rsa.authenticator.sidtoken.read | Retrieve a hardware token's details | |
| Cloud Administration Assign Hardware Token API | rsa.authenticator.sidtoken.manage | Update, enable, disable, assign, unassign, and clear pin for a hardware token | |
| Cloud Administration Unassign Hardware Token API | rsa.authenticator.sidtoken.manage | Update, enable, disable, assign, unassign, and clear pin for a hardware token | |
| Cloud Administration Enable Hardware Token API | rsa.authenticator.sidtoken.manage | Update, enable, disable, assign, unassign, and clear pin for a hardware token | |
| Cloud Administration Disable Hardware Token API | rsa.authenticator.sidtoken.manage | Update, enable, disable, assign, unassign, and clear pin for a hardware token | |
| Cloud Administration Delete Hardware Token API | rsa.authenticator.sidtoken.delete | Delete a hardware token from CAS | |
| Cloud Administration Clear PIN for Hardware Token API | rsa.authenticator.sidtoken.manage | Update, enable, disable, assign, unassign, and clear pin for a hardware token | |
| Cloud Administration Update Hardware Token Name API | rsa.authenticator.sidtoken.manage | Update, enable, disable, assign, unassign, and clear pin for a hardware token | |
| Cloud Administration Enable SecurID DS100 OTP Credential API | rsa.authenticator.ds100.manage | Enable, disable, and clear pin for a SecurID DS100 OTP | |
| Cloud Administration Disable SecurID DS100 OTP Credential API | rsa.authenticator.ds100.manage | Enable, disable, and clear pin for a SecurID DS100 OTP | |
| Cloud Administration Delete SecurID DS100 OTP Credential API | rsa.authenticator.ds100.delete | Delete user's SecurID DS100 OTP credential | |
| Cloud Administration Clear PIN RSA DS100 OTP Credential API | rsa.authenticator.ds100.manage | Enable, disable, and clear pin for an RSA DS100 OTP | |
| Cloud Administration Retrieve RSA DS100 OTP Credential API | rsa.authenticator.ds100.read | Retrieve user's RSA DS100 OTP credential | |
| Local Group | Cloud Administration Local Groups Public API | rsa.group.manage | Local group management actions (create, update, delete) |
| Managing Local Group Users with the Cloud Administration Local Groups Public API | rsa.group.read | Retrieve local group(s) details | |
| rsa.group.users.manage | Local group membership actions (add/remove users) | ||
| rsa.group.users.read | Retrieve local group user details | ||
| Report | Cloud Administration Health Check API | rsa.report.health | Retrieve report on CAS availability |
| Cloud Administration Retrieve License Usage API Version 1 | rsa.report.license.usage | Retrieve MFA license usage to monitor license compliance | |
| Cloud Administration Retrieve License Usage API Version 2 | rsa.report.license.usage | Retrieve MFA license usage to monitor license compliance | |
| Cloud Administration Generate and Download Report APIs | rsa.report.read | Generate and download users, hardware tokens, and MFA clients report | |
| Cloud Administration Anomalous Users API | rsa.report.user.risky | Retrieve a list of users who exhibit anomalous behavior | |
| User | Cloud Administration User Search API Version 1 | rsa.user.read | Retrieve user information from the identity source |
| Cloud Administration Synchronize User API | rsa.user.sync | User synchronization to user identity | |
| Cloud Administration User Details API | rsa.user.read | Retrieve user information from the identity source | |
| Cloud Administration Mark User Deleted API | rsa.user.delete.soft | Mark a disabled user as pending deletion | |
| Cloud Administration Delete User Now API | rsa.user.delete | Delete a single disabled user and immediately remove all devices associated with that user | |
| Cloud Administration User Status API | rsa.user.manage | Update, sync, enable, and disable users | |
| Cloud Administration Unlock User Tokencodes API | rsa.user.factor.manage | Unlock, update, reset, and generate codes for users' authentication factors | |
| Cloud Administration Update SMS and Voice Phone API | rsa.user.factor.manage | Unlock, update, reset, and generate codes for users' authentication factors | |
| Cloud Administration Add/Remove High-Risk User API | rsa.user.risky.manage | Add or remove one or more users from the high-risk user lis | |
| Cloud Administration Retrieve High-Risk User List API Version 1 | rsa.user.risky.read | Retrieve a list of users who are identified as high risk | |
| Cloud Administration Retrieve High-Risk User List API Version 2 | rsa.user.risky.read | Retrieve a list of users who are identified as high risk | |
| Cloud Administration Generate Enrollment Code API | rsa.user.factor.manage | Unlock, update, reset, and generate codes for users' authentication factors | |
| Cloud Administration Void Enrollment Code API | rsa.user.factor.manage | Unlock, update, reset, and generate codes for users' authentication factors | |
| Cloud Administration Password Reset Code API | rsa.user.factor.manage | Unlock, update, reset, and generate codes for users' authentication factors | |
| Cloud Administration Void Password Reset Code API | rsa.user.factor.manage | Unlock, update, reset, and generate codes for users' authentication factors |
Cloud Authentication API Permissions
| Group | Permission | Permission Description |
|---|---|---|
MFA | rsa.mfa.authn | For multi-factor, multi-step authentications with CAS |
| rsa.mfa.identityconfidence | View and update the identity confidence score of a user |
Related Articles
Additional connections are seen between the agent and aserver. Number of Views DSA-2020-052: RSA Authentication Manager Multiple Vulnerabilities Number of Views DSA-2019-134: RSA Identity Governance and Lifecycle Product Security Update for Multiple Vulnerabilities Number of Views DSA-2020-066: RSA Authentication Manager Stored Cross-Site Scripting Number of Views RSA SecurID Authenticator 6.1.1 for Windows Release Notes Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 RSA announces End of Life EOL dates for RSA MyAccessLive Service RSA Authentication Manager 8.9 Administrator's Guide
Don't see what you're looking for?
