This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to create PersonWantsOrg via RESTApi

We try a Post request to the PersonWantsOrg table with the following example body:
{
"values": {
"UID_Org": " 5c490797-b3ae-47c5-b2da-f1bc0e9ab675",
"UID_PersonInserted":"8e93db71-7dc8-4f7f-bb2e-66c1951e85a3",
"UID_PersonOrdered": "8e93db71-7dc8-4f7f-bb2e-66c1951e85a3",
"OrderReason":"Test request via api"
}
}

but receive the following error:
{
"responseStatus":{
"message":"This employee Fellers Joshua (JOSHUA.FELLERS) is not authorized to make requests at this point."},
"errorString":"This employee Fellers Joshua (JOSHUA.FELLERS) is not authorized to make requests at this point.",
"exceptions":[{"number":2133173,"message":"This employee Fellers Joshua (JOSHUA.FELLERS) is not authorized to make requests at this point."}]
}
}

We verified the same request can be made by the user in ITShop.  and the person logged into the API has a System user of viAdmin assigned to it.   

Parents
  • Please check that no other request for the same product for the user exists currently. If another request already exists you are not allowed to request it again. This happens easily if you always test with the same combination of product and recipient.

  • We tried a couple different users,  and verified there were no requests out there already. Same results.

  • In regards to the authentication, so you end up with a person that has viadmin assigned as Person.DialogUser. Correct?

    But you verified the in the IT Shop that the user itself is able to request the products in question. Correct?

    Last question (should be the first but forgot to ask), what version of OneIM are you using?

  • Sorry. Should have already stated the version in my question.   we are on 7.1.2

    And yes you are correct on your other statements.

  • I strongly believe that you are not allowed to insert the request on behalf of others as the person using the viadmin user. You can verify this by trying to insert an entry into PersonWantsOrg in the ObjectBrowser using the same authenticator settings as for your ReST calls. I believe it will fail as well.

    If so, then your system user needs to have the flag IsServiceAccount set. And no, you cannot set the flag for viadmin.

  • so we have a copy of viAdmins as dcgsAdmin all permissions are checked in permissions Group Editor, made sure that is not a dynamic user, and is listed under system users,  We just assigned that to the user instead of viAdmin,  and tested again.  still same error.

  • Sorry. I'll have to correct my post. The flag is called IsServiceAccount that has to be set at the system user.

  • Markus.  Thank you again for your reply.   We have checked the isServiceAccount checkbox,  committed, and compiled.   and we are still receiving the same error.

    Although we logged into object browser, and non of the DCGS_User Permissions seem to be there either.    Troubleshooting that and readdressing.

  • Please note our end goal is to enable a process (via web interface) that a user can perform self-service on requesting access (like in ITShop). IE a non-priv user should be able to make a request. I would not expect a regular user to be flagged as a service account. What is the process/correct method, via the API, for a regular user to be able to make such a request? I assumed, the above API call could be made by any authenticated user. What permissions are required to make a new request? It appears that ITShop does it via direct SQL commands. How can, if at all, this be done via the API? If the call has to be made from a privileged service account, that is ok, just need to know what those privileges look like as everything we have tried has failed. 

Reply
  • Please note our end goal is to enable a process (via web interface) that a user can perform self-service on requesting access (like in ITShop). IE a non-priv user should be able to make a request. I would not expect a regular user to be flagged as a service account. What is the process/correct method, via the API, for a regular user to be able to make such a request? I assumed, the above API call could be made by any authenticated user. What permissions are required to make a new request? It appears that ITShop does it via direct SQL commands. How can, if at all, this be done via the API? If the call has to be made from a privileged service account, that is ok, just need to know what those privileges look like as everything we have tried has failed. 

Children
  • The above API call can be made by any authenticated user for himself, if the normal request requirements are fulfilled (Receiver of the requested product needs to be a member of the shop the product is requested from, if the product is not multi-requestable the receiver is not allowed to have the product assigned already, ...).

    The ootb Web Portal is using the object layer as all other tools.

  • Just as an addition.

    I re-created your sample in my 8.0.1 and 7.1.3 test environments and was able to insert a new request for myself (means for the logged in user) over the REST API without any special permissions and without any error.

    Thing is, as I have said before, you will get the error message from your initial thread entry if the same product is already assigned for the recipient or if another approval process for the same product has already been started.

  • I am attempting to request a role I do not have. I also verified by doing a select * from PersonWantsOrg WHERE UID_Org='36a69ab1-1434-4d80-8eb4-9b96db457502' to verify there is no pending, or previous PWO request. Just to review to ensure I am not missing a step. I am using Postman for my tests. I auth using auth/apphost with a body of {"authString":"Module=RoleBasedManualADS;User=xxxx;Password=xxxx"} to get my token where user is my AD username. I then post to api/entity/PersonWantsOrg/ the following values:

    {
    "values": [
    "UID_Org": "36a69ab1-1434-4d80-8eb4-9b96db457502",
    "UID_PersonInserted":"beab7678-6fbd-4db1-ac5e-2cce6c6bd256",
    "UID_PersonOrdered": "beab7678-6fbd-4db1-ac5e-2cce6c6bd256",
    "OrderReason":"Test request via api"
    ]
    }

    Again, I have verified that there is 0 items in the PersonWantsOrg table with that UID. The person inserted and ordered are my Person record UID for the AD account I logged in with. I also note that if I change the UID_PersonOrdered to a different user, the error message changes to say that that user is not authorized. 

    Is there anything I should be doing differently? 

  • You should replace the square brackets [] with curly brackets {} in your JSON.

    And, can you confirm that the following SQL returns a result?

    Select FullPath from ITShopOrg where UID_Org='36a69ab1-1434-4d80-8eb4-9b96db457502'

  • Sorry, bad cut n paste, its always  { } I was just trying some crazy ideas at the time. As to your query, our ITShopOrg table does not have a UID_Org field.

  • Sorry, bad cut n paste. Replace UID_Org with UID_ITShopOrg

  • Markus.   Doesn't PersonWantsOrg use the uid_Org from the Org table,  not uid_ItShopOrg in ItShop org?

  • No, it doesn't. The UID_Org in the request is the UID of the product node from the IT Shop you want to request, hence the UID_ITShopOrg of the product node.

    I am pretty sure, that is your issue here as you are comparing apples to oranges.

  • The PersonWantsOrg table's UID_Org is a foreign key of Org not ItshopOrg, I don't follow? I tried using a UID from ITShopOrg just to try it, but then I get a "an error occured". 

  • I think you need to reconsider. PersonWantsOrg.UID_Org points to the table ITShopOrg not to the table Org, it never did.