We’re building a partner portal on zs-2023 where external partners need API access to manage their own deals and contacts but shouldn’t see other partners’ data. Trying to decide between Zendesk Sell’s built-in role-based access control versus implementing OAuth scopes at our application layer for access control.
The RBAC approach uses Zendesk’s permission system but requires creating separate user accounts for each partner. OAuth scopes would use a service account with our app managing partner isolation. Both have security implications for multi-tenant scenarios. What’s the industry standard approach for partner onboarding and API access isolation? Concerned about security, scalability, and ease of partner onboarding.
Partner onboarding velocity matters too. With RBAC, you’re creating Zendesk accounts, setting up roles, configuring sharing rules - it’s a multi-step process even if automated. OAuth with service account means partners get API credentials instantly. We prioritized fast onboarding and went OAuth route, accepting the trade-off of building our own access control layer. Really depends on whether you optimize for security/compliance or partner experience.
OAuth scopes are designed for application-level authorization, not data-level isolation. Scopes define what operations an app can perform (read contacts, write deals), not which specific records it can access. For multi-tenant partner isolation, you need row-level security which RBAC provides naturally. I’d recommend RBAC with partner-specific user accounts rather than trying to build tenant isolation in OAuth scopes.
We went with RBAC and it’s been solid. Each partner gets a dedicated user account with a custom role that restricts visibility to their data through Zendesk’s sharing rules. The onboarding process is automated - we provision accounts via API when partners sign up. The key is setting up proper data ownership and sharing rules in Zendesk Sell so partners only see records they own or are shared with them.