Identity Manager

Calling Scripts via Application Server RESTful API using Common_StartScripts permission not working


We are trying to call a custom script via the Application Server RESTful API. 

We have made sure that the user who does this has an application role assigned which has the permission group Common_StartScripts. 
This application role also has the permissions groups Common_TriggerEvents and Common_StartCustomizerMethods, and the user can successfully call both events and methods directly via the API. 

When we call the custom script the following error is shown: 

(part of the returned json)

"number": 810323,
      "message": "You are not authorized to run this method.”


We believe the error could be due to the reason that the custom scripts within its code calls the FillOrder method. This is perhaps an issue as this method can only be executed via job server. Perhaps via the API when this script is called it presents this error before even running it? 
Currently we can call the custom script via a process chain which is tied to an Event, and  this event is then called via the API.

Is the above assumption correct or are we missing something?

Any help its greatly appreciated as usual.

Kind regards,


  • You are right that, at least for version 7.0.x, your authenticated user (depending on the authenticator) needs to have the mentioned program function assigned. (Short Name Common_StartScript).

    What's new in 7.1 in regards to the scripts, ist that the REST API will block the execution of script if you script does not have a program function assigned, for security reasons. The authenticated user must be entitled to use the same program function.

    This is an addition to the requirements, that the authenticated user must be entitled to use the program function "Allow the starting of arbitrary scripts from the frontend" in order to execute a script in general.

    Note: To keep things simple, this program function is allowed to be the Common_StartScript program function.

    As a reminder and for completeness, two links around the program functions.

    How to check which program functions are available to the current user?

    How to assign the program functions?

  • Hi Markus

    Thanks again for the quick response.

    I never realised that from 7.1 onwards the script itself needed that program function assigned.
    I have done this but now I receive the following error:

    "This method can only be called internally."

    I believe this may now relate to the FillOrder method I mentioned in the initial post?
  • Question: Do you need to create an already approved and assigned request or do you want to create just a normal one?

    If it should be just a normal request you should create a normal PersonWantsOrg object, assign all properties and save it. Than you have an order like in the web-portal.

    The FillOrder method is required to create a PwO e.g. in state "Assigned". Its designed for an initial load of the IT Shop so, that user do not need to order all their existing products.

    The FillOrder method is also meant to be executed by the JobService. If you start the script directly over the API, the system user used to authenticate needs to  be marked with IsServiceAccount=1.

  • Thanks for the response again Markus
    We will from now on create a normal PersonWantsOrg object and not use the FillOrder method. Previously we thought without using FillOrder an approval would not be triggered.

    The last point of setting IsServiceAccount = 1 would not work for our use case as the person who initially authenticates with the Application server is of Employee type and not System user. But this information is useful nonetheless for future reference.

    Thanks again.
  • Hi again Markus, (Im sure you're already sick of me :P )

    Instead of using the script we are now creating a request directly via the API by creating a record within the PersonWantsOrg table.

    We try a Post request to the PersonWantsOrg table with the following example body:
    "values": {
    "UID_Org": " 5c490797-b3ae-47c5-b2da-f1bc0e9ab675",
    "UID_PersonOrdered": "8e93db71-7dc8-4f7f-bb2e-66c1951e85a3",
    "OrderReason":"Test request via api"

    but receive the following error:

    "responseStatus": {
    "message": "This employee Syed, Ashhad (ASHHADS) is not authorized to make requests at this point."

    "number": 2133173

    I had a quick look through the program functions but I can't seem to find any obvious named ones that would allow a user to create a record in the database via the frontend (rest api).

    Any help is as always greatly appreciated.