This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to create PersonWantsOrg via RESTApi

We try a Post request to the PersonWantsOrg table with the following example body:
{
"values": {
"UID_Org": " 5c490797-b3ae-47c5-b2da-f1bc0e9ab675",
"UID_PersonInserted":"8e93db71-7dc8-4f7f-bb2e-66c1951e85a3",
"UID_PersonOrdered": "8e93db71-7dc8-4f7f-bb2e-66c1951e85a3",
"OrderReason":"Test request via api"
}
}

but receive the following error:
{
"responseStatus":{
"message":"This employee Fellers Joshua (JOSHUA.FELLERS) is not authorized to make requests at this point."},
"errorString":"This employee Fellers Joshua (JOSHUA.FELLERS) is not authorized to make requests at this point.",
"exceptions":[{"number":2133173,"message":"This employee Fellers Joshua (JOSHUA.FELLERS) is not authorized to make requests at this point."}]
}
}

We verified the same request can be made by the user in ITShop.  and the person logged into the API has a System user of viAdmin assigned to it.   

Parents
  • Please check that no other request for the same product for the user exists currently. If another request already exists you are not allowed to request it again. This happens easily if you always test with the same combination of product and recipient.

  • We tried a couple different users,  and verified there were no requests out there already. Same results.

  • Markus.  Thank you again for your reply.   We have checked the isServiceAccount checkbox,  committed, and compiled.   and we are still receiving the same error.

    Although we logged into object browser, and non of the DCGS_User Permissions seem to be there either.    Troubleshooting that and readdressing.

  • Please note our end goal is to enable a process (via web interface) that a user can perform self-service on requesting access (like in ITShop). IE a non-priv user should be able to make a request. I would not expect a regular user to be flagged as a service account. What is the process/correct method, via the API, for a regular user to be able to make such a request? I assumed, the above API call could be made by any authenticated user. What permissions are required to make a new request? It appears that ITShop does it via direct SQL commands. How can, if at all, this be done via the API? If the call has to be made from a privileged service account, that is ok, just need to know what those privileges look like as everything we have tried has failed. 

  • The above API call can be made by any authenticated user for himself, if the normal request requirements are fulfilled (Receiver of the requested product needs to be a member of the shop the product is requested from, if the product is not multi-requestable the receiver is not allowed to have the product assigned already, ...).

    The ootb Web Portal is using the object layer as all other tools.

  • Just as an addition.

    I re-created your sample in my 8.0.1 and 7.1.3 test environments and was able to insert a new request for myself (means for the logged in user) over the REST API without any special permissions and without any error.

    Thing is, as I have said before, you will get the error message from your initial thread entry if the same product is already assigned for the recipient or if another approval process for the same product has already been started.

  • I am attempting to request a role I do not have. I also verified by doing a select * from PersonWantsOrg WHERE UID_Org='36a69ab1-1434-4d80-8eb4-9b96db457502' to verify there is no pending, or previous PWO request. Just to review to ensure I am not missing a step. I am using Postman for my tests. I auth using auth/apphost with a body of {"authString":"Module=RoleBasedManualADS;User=xxxx;Password=xxxx"} to get my token where user is my AD username. I then post to api/entity/PersonWantsOrg/ the following values:

    {
    "values": [
    "UID_Org": "36a69ab1-1434-4d80-8eb4-9b96db457502",
    "UID_PersonInserted":"beab7678-6fbd-4db1-ac5e-2cce6c6bd256",
    "UID_PersonOrdered": "beab7678-6fbd-4db1-ac5e-2cce6c6bd256",
    "OrderReason":"Test request via api"
    ]
    }

    Again, I have verified that there is 0 items in the PersonWantsOrg table with that UID. The person inserted and ordered are my Person record UID for the AD account I logged in with. I also note that if I change the UID_PersonOrdered to a different user, the error message changes to say that that user is not authorized. 

    Is there anything I should be doing differently? 

  • You should replace the square brackets [] with curly brackets {} in your JSON.

    And, can you confirm that the following SQL returns a result?

    Select FullPath from ITShopOrg where UID_Org='36a69ab1-1434-4d80-8eb4-9b96db457502'

  • Sorry, bad cut n paste, its always  { } I was just trying some crazy ideas at the time. As to your query, our ITShopOrg table does not have a UID_Org field.

  • Sorry, bad cut n paste. Replace UID_Org with UID_ITShopOrg

  • Markus.   Doesn't PersonWantsOrg use the uid_Org from the Org table,  not uid_ItShopOrg in ItShop org?

  • No, it doesn't. The UID_Org in the request is the UID of the product node from the IT Shop you want to request, hence the UID_ITShopOrg of the product node.

    I am pretty sure, that is your issue here as you are comparing apples to oranges.

Reply Children
  • The PersonWantsOrg table's UID_Org is a foreign key of Org not ItshopOrg, I don't follow? I tried using a UID from ITShopOrg just to try it, but then I get a "an error occured". 

  • I think you need to reconsider. PersonWantsOrg.UID_Org points to the table ITShopOrg not to the table Org, it never did.

  • Well that is a mean trick. OK then, any idea what this error might refer too then if I use a ITShopOrg UID:

    {"responseStatus":{"message":"An error occured."},"errorString":"An error occured.","exceptions":[{"number":2072000,"message":"An error occured."}]}

  • I checked back to version 4 and the property was called UID_Org pointing to ITShopOrg even then so no mean trick.

    In regards to your error message, the Application Server suppresses detailed error messages as one countermeasure against error based SQL injection. Means, you need to check the log of the Application Server for a detailed error.

    Or, you configure the web.config of the Application Server to send detailed error messages. Please note, that this should never be enabled in a production system!

  • at QBM.AppServer.Api.SingleService.<Post>d__1.MoveNext()
    2018-08-06 15:57:08.2876 ERROR (ObjectLog ) : [810306] Error during execution of 'OnSaved' in logic module 'QER.Customizer.PersonWantsOrg'.
    [810023] Error during execution of statement: insert into PersonWantsOrg (DisplayOrg, DisplayOrgParent, DisplayOrgParentOfParent, DisplayPersonInserted, DisplayPersonOrdered, GenProcID, ObjectKeyOrdered, OrderDate, OrderReason, OrderState, UID_ITShopOrgFinal, UID_Org, UID_OrgParent, UID_OrgParentOfParent, UID_PersonInserted, UID_PersonOrdered, UID_PersonWantsOrg, xdateinserted, xuserinserted, xdateupdated, xuserupdated, xobjectkey) values (N'Storage SuperUser', N'DCGS Users', N'Identity & Access Lifecycle', N'Fellers Joshua', N'Fellers Joshua', '166edaf2-10c5-4b39-a70c-a5e560963812', '<Key><T>QERAssign</T><P>5b10daeb-a80c-44dd-9243-0be8357e1e7b</P></Key>', '2018-08-06 19:57:07.475', N'Test request via api', N'OrderProduct', '1F911648-FE69-4BEE-AE17-E8F25E5B7D1B', '1F911648-FE69-4BEE-AE17-E8F25E5B7D1B', '939a4adc-46ba-4559-a98b-a84fd085fa2f', 'QER-ITSHOPORG-DELEGATION-SH', 'beab7678-6fbd-4db1-ac5e-2cce6c6bd256', 'beab7678-6fbd-4db1-ac5e-2cce6c6bd256', 'b2996865-a41c-41ce-a3cd-6729075e64e9', GetUTCDate(), N'D1IM\joshua.fellers.adm', GetUTCDate(), N'D1IM\joshua.fellers.adm', '<Key><T>PersonWantsOrg</T><P>b2996865-a41c-41ce-a3cd-6729075e64e9</P></Key>')
    [810143] Database error 50000: re-throw in Procedure QER_PITShopPersonHasObjectFill, Line 55
    [810143] Database error 50000: detected in (SRV=SQL\IDAM01, DB=D1IM) Procedure QER_PITShopPersonHasObjectFill, Line 18
    [810143] Database error 50000: ObjectkeyAssignment has an invalid number of PK definitions.
    VI.Base.ViException: Error during execution of 'OnSaved' in logic module 'QER.Customizer.PersonWantsOrg'. ---> VI.Base.ViException: Error during execution of statement: insert into PersonWantsOrg (DisplayOrg, DisplayOrgParent, DisplayOrgParentOfParent, DisplayPersonInserted, DisplayPersonOrdered, GenProcID, ObjectKeyOrdered, OrderDate, OrderReason, OrderState, UID_ITShopOrgFinal, UID_Org, UID_OrgParent, UID_OrgParentOfParent, UID_PersonInserted, UID_PersonOrdered, UID_PersonWantsOrg, xdateinserted, xuserinserted, xdateupdated, xuserupdated, xobjectkey) values (N'Storage SuperUser', N'DCGS Users', N'Identity & Access Lifecycle', N'Fellers Joshua', N'Fellers Joshua', '166edaf2-10c5-4b39-a70c-a5e560963812', '<Key><T>QERAssign</T><P>5b10daeb-a80c-44dd-9243-0be8357e1e7b</P></Key>', '2018-08-06 19:57:07.475', N'Test request via api', N'OrderProduct', '1F911648-FE69-4BEE-AE17-E8F25E5B7D1B', '1F911648-FE69-4BEE-AE17-E8F25E5B7D1B', '939a4adc-46ba-4559-a98b-a84fd085fa2f', 'QER-ITSHOPORG-DELEGATION-SH', 'beab7678-6fbd-4db1-ac5e-2cce6c6bd256', 'beab7678-6fbd-4db1-ac5e-2cce6c6bd256', 'b2996865-a41c-41ce-a3cd-6729075e64e9', GetUTCDate(), N'D1IM\joshua.fellers.adm', GetUTCDate(), N'D1IM\joshua.fellers.adm', '<Key><T>PersonWantsOrg</T><P>b2996865-a41c-41ce-a3cd-6729075e64e9</P></Key>') ---> VI.DB.DatabaseException: Database error 50000: re-throw in Procedure QER_PITShopPersonHasObjectFill, Line 55 ---> VI.DB.DatabaseException: Database error 50000: detected in (SRV=SQL\IDAM01, DB=D1IM) Procedure QER_PITShopPersonHasObjectFill, Line 18 ---> VI.DB.DatabaseException: Database error 50000: ObjectkeyAssignment has an invalid number of PK definitions.
    --- End of inner exception stack trace ---

  • You are requesting an assignment resource but do not fill the property ObjectkeyAssignment of the PersonWantsOrg entry. If this request should become a business role membership, you need to fill the ObjectkeyAssignment with the XObjectKey of the PersonInOrg entry that is requested.

    I suggest you take a look at the template of ShoppingCartItem.ObjectKeyAssignment that creates such a XObjectKey if you request the role membership via the ShoppingCart instead of entering all the data directly into PersonWantsOrg. This is what the Web Portal does.

  • Thanks. Problem solved. I appreciate all your help!