Hi @smarterme and @Lee_Farthing,
I think one point of confusion here is the idea of user/portal/app permissions. Let me see if I can clear up some of the differences:
- Users have certain roles related to the permissions they have within a HubSpot portal. Some users can access the blog tool, while others can only access the CRM. Some users are admins, and still others might be super admins. These user roles affect whether or not a particular user can approve an integration.
- Portals each have certain tools associated with them based on their product tier and included add ons. Some portals are Marketing/CRM Free, some are Marketing Enterprise & Sales Professional, and some may have the Reporting add on. These product levels affect whether or not a particular portal can install an integration.
- App request certain scopes when initiating an OAuth2 connection. Your app may request
timeline, for example. All scopes can be required or optional. In order for your app to be installed to a given portal, two things must be true:
- The portal must contain the tools corresponding to the required scopes the integration is requesting. (e.g. If the integration is requesting the
hubdb scope, the portal in question must have access to the HubDB tool)
- The user who is authorizing the app must be an admin, and must have the roles required to authorize the required scopes the integration is requesting. (e.g. If I'm trying to approve an integration that is requesting the
hubdb scope, I must have the proper HubDB-related role to approve the integration)
Knowing these things, it's clear that whether or not an integration can be installed depends on the combination of the app's required scopes, the portals product tier, and the authorizing user's role. This is what makes troubleshooting these issues so situation-specific; slight differences in user roles, portal tiers, or required scopes can be factors in why a particular user/portal/app combination isn't working as expected.
Apps are portal-wide
An important thing to consider here is that integrations are always portal-wide. This means that a single user authorizes an integration, and that integration can then function for the entire portal. The OAuth2 flow should be thought of as installing an app to your portal; one user (an admin) needs to approves the app, and 'install' it to the portal. After that, the integration provides some user-independent functionality to the portal. It's not possible to create user-specific integrations using the HubSpot APIs, so there shouldn't ever be situations where more than one user needs to complete the OAuth2 flow for a single portal.
This hub doesn't have access to some HubSpot features that are required by this integration. Please contact the integrator
- This error means there is an issue with the portal. The portal being selected does not contain the tools that correspond to the required scopes the integration is requesting.
You do not have the correct role to grant these permissions. Please contact your administrator
- This error means there is an issue with the user. The user attempting to authorize the app does not have the roles required to authorize the required scopes the integration is requesting.
When in doubt, having a super admin try to install the integration is a good place to start. A super admin will have the proper role to approve any integration.
In general, I need the portal's Hub ID, the user's email address, and the app's required scopes in order to effectively troubleshoot OAuth2 issues. Because of how situation specific these issues are, it's also usually best to create a new topic for your issue instead of posting on an existing topic, even if the issues seem related.