From 564c6e7da45193c0eead5a302ccf358c55e1ed8e Mon Sep 17 00:00:00 2001 From: Chris Botelho Date: Fri, 29 May 2026 10:41:09 -0500 Subject: [PATCH 1/3] docs(halopsa): correct required OAuth scopes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous list claimed eight scopes, two of which (read:actions, edit:actions) do not exist — the HaloPSA /auth/token endpoint rejects them as invalid_scope. The remaining six were also non-minimal: edit:tickets subsumes read:tickets, edit:assets subsumes read:assets, and the extension never writes clients or sites so edit:customers is unneeded. Verified against a live HaloPSA tenant by probing each scope in isolation against every endpoint the extension uses; the minimum set 'edit:tickets edit:assets read:customers' authorizes all six extension actions (create_ticket, update_ticket, search_tickets, add_action, link_asset_to_ticket, lookup_client_site) end-to-end. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/5-integrations/extensions/third-party/halopsa.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/5-integrations/extensions/third-party/halopsa.md b/docs/5-integrations/extensions/third-party/halopsa.md index 04cc57df..7ee46036 100644 --- a/docs/5-integrations/extensions/third-party/halopsa.md +++ b/docs/5-integrations/extensions/third-party/halopsa.md @@ -12,7 +12,15 @@ In HaloPSA, create an API application (under **Configuration → Integrations - **Authentication Method:** Client ID and Secret (Services) - **Login Type:** Log on as the **Application** (the API acts as itself, not as a specific agent) -- **Permissions:** grant `read:tickets`, `edit:tickets`, `read:customers`, `edit:customers`, `read:assets`, `edit:assets`, `read:actions`, `edit:actions` +- **Permissions:** grant `edit:tickets`, `edit:assets`, `read:customers` + +These three scopes are the verified least-privilege set for the six actions below: + +- `edit:tickets` covers `create_ticket`, `update_ticket`, `search_tickets`, and `add_action`. Actions are a HaloPSA ticket sub-resource — there is no separate `read:actions` or `edit:actions` scope (the HaloPSA token endpoint rejects them as `invalid_scope`). +- `edit:assets` covers asset lookup and the create-if-missing path in `link_asset_to_ticket`. +- `read:customers` covers `lookup_client_site` for both clients *and* sites (sites are a customer sub-resource). The extension never writes clients or sites, so `edit:customers` is not required. + +If you'd rather not enumerate scopes, the extension's default of `all` also works. Copy the **Client ID** and **Client Secret** — you will need them in the next step. Refer to HaloPSA's own product documentation for the current UI path; the labels above may differ slightly across HaloPSA versions. From e8e47e554339c9ea088798e04315b6c9a584679c Mon Sep 17 00:00:00 2001 From: Chris Botelho Date: Fri, 29 May 2026 10:43:22 -0500 Subject: [PATCH 2/3] =?UTF-8?q?docs(halopsa):=20fix=20login=20type=20?= =?UTF-8?q?=E2=80=94=20HaloPSA=20has=20no=20"Application"=20type?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "Log on as the Application" instruction was inaccurate: HaloPSA's API Application login type is "Agent" and every request is attributed to a specific agent identity (visible in the id_token JWT issued by /auth/token). Updated the step to instruct picking the agent that should own tickets, actions, and assets created by the extension. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/5-integrations/extensions/third-party/halopsa.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/5-integrations/extensions/third-party/halopsa.md b/docs/5-integrations/extensions/third-party/halopsa.md index 7ee46036..01f797a3 100644 --- a/docs/5-integrations/extensions/third-party/halopsa.md +++ b/docs/5-integrations/extensions/third-party/halopsa.md @@ -11,7 +11,7 @@ The HaloPSA LimaCharlie Extension exposes outbound HaloPSA actions to D&R rules In HaloPSA, create an API application (under **Configuration → Integrations → HaloPSA API**) and configure it for the OAuth2 `client_credentials` flow: - **Authentication Method:** Client ID and Secret (Services) -- **Login Type:** Log on as the **Application** (the API acts as itself, not as a specific agent) +- **Login Type:** Log on as **Agent** — pick the HaloPSA agent that should own the tickets, actions, and assets this extension creates. HaloPSA has no "Application" login type; every API request is attributed to an agent identity. - **Permissions:** grant `edit:tickets`, `edit:assets`, `read:customers` These three scopes are the verified least-privilege set for the six actions below: From 5537a3756c41834c30722aef310b3c37bf83e9ab Mon Sep 17 00:00:00 2001 From: Chris Botelho Date: Fri, 29 May 2026 10:45:00 -0500 Subject: [PATCH 3/3] docs(halopsa): drop redundant note about login type semantics Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/5-integrations/extensions/third-party/halopsa.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/5-integrations/extensions/third-party/halopsa.md b/docs/5-integrations/extensions/third-party/halopsa.md index 01f797a3..4990cf5e 100644 --- a/docs/5-integrations/extensions/third-party/halopsa.md +++ b/docs/5-integrations/extensions/third-party/halopsa.md @@ -11,7 +11,7 @@ The HaloPSA LimaCharlie Extension exposes outbound HaloPSA actions to D&R rules In HaloPSA, create an API application (under **Configuration → Integrations → HaloPSA API**) and configure it for the OAuth2 `client_credentials` flow: - **Authentication Method:** Client ID and Secret (Services) -- **Login Type:** Log on as **Agent** — pick the HaloPSA agent that should own the tickets, actions, and assets this extension creates. HaloPSA has no "Application" login type; every API request is attributed to an agent identity. +- **Login Type:** Log on as **Agent** — pick the HaloPSA agent that should own the tickets, actions, and assets this extension creates. - **Permissions:** grant `edit:tickets`, `edit:assets`, `read:customers` These three scopes are the verified least-privilege set for the six actions below: