Dear Folks,

We'd like to inform you about recent updates to the Get Agent API in Zoho Desk, prompted by security considerations. If you're currently using the APIs mentioned, please take note of the changes outlined below.

Existing Behavior:

Currently, when the "Manage Agents" toggle is disabled under profile permissions in the Zoho Desk portal UI, users would not be able to view the list of agents or their profile information. However, some meta-information such as profile pictures, agent names, and email addresses remain accessible in conversations, tickets modules, and certain other areas.

Security Concern:

Despite UI restrictions, the Get Agent API allows fetching all agent information even when permissions are disabled. The API does not consider profile permissions when invoked, which was unearthed as a potential bug. Hence, we have made some changes.

New Behavior:

To address this issue, we are implementing a fix that restricts specific field details—excluding meta-information—in API responses triggered from agent accounts with disabled "Manage Agents" permissions. We have provided lists of restricted and supported fields below.

Restricted Fields:

1. Phone
2. Mobile
3. Custom Fields
4. About Info
5. CountryCode
6. Extension
7. TimeZone
8. Language Code
9. ChannelExpert

Supported Fields:

1. Agent Id
2. zuid
3. emailId
4. firstName
5.lastName
6. name
7. photoURL
8. isConfirmed
9. status
10. isLightAgent
11. associated DepartmentIds
12. associated Chat Department Ids
13. roleId
14. profileId
15. rolePermissionType

The list of APIs: Get Agent and List Agents

For any queries or clarifications on this matter, please contact us at support@zohodesk.com. We're here to help.


Best regards,
Zoho Desk Team