Calling Scripts via Application Server RESTful API using Common_StartScripts permission not working

Hi,

We are trying to call a custom script via the Application Server RESTful API. 

We have made sure that the user who does this has an application role assigned which has the permission group Common_StartScripts. 
This application role also has the permissions groups Common_TriggerEvents and Common_StartCustomizerMethods, and the user can successfully call both events and methods directly via the API. 

When we call the custom script the following error is shown: 

(part of the returned json)

"number": 810323,
      "message": "You are not authorized to run this method.”

 

We believe the error could be due to the reason that the custom scripts within its code calls the FillOrder method. This is perhaps an issue as this method can only be executed via job server. Perhaps via the API when this script is called it presents this error before even running it? 
Currently we can call the custom script via a process chain which is tied to an Event, and  this event is then called via the API.

Is the above assumption correct or are we missing something?

Any help its greatly appreciated as usual.

Kind regards,

Ash

  • You are right that, at least for version 7.0.x, your authenticated user (depending on the authenticator) needs to have the mentioned program function assigned. (Short Name Common_StartScript).

    What's new in 7.1 in regards to the scripts, ist that the REST API will block the execution of script if you script does not have a program function assigned, for security reasons. The authenticated user must be entitled to use the same program function.

    This is an addition to the requirements, that the authenticated user must be entitled to use the program function "Allow the starting of arbitrary scripts from the frontend" in order to execute a script in general.

    Note: To keep things simple, this program function is allowed to be the Common_StartScript program function.

    As a reminder and for completeness, two links around the program functions.

    How to check which program functions are available to the current user?

    http://documents.software.dell.com/identity-manager/7.1.1/user-guide-for-the-user-interface-and-default-functions/error-search/which-program-functions-are-available-to-the-current-user

    How to assign the program functions?

    http://documents.software.dell.com/identity-manager/7.1.1/configuration-guide/granting-one-identity-manager-schema-permissions/availability-of-certain-functionality

  • In reply to Markus Weiss-Ehlers:

    Hi Markus

    Thanks again for the quick response.

    I never realised that from 7.1 onwards the script itself needed that program function assigned.
    I have done this but now I receive the following error:

    "This method can only be called internally."

    I believe this may now relate to the FillOrder method I mentioned in the initial post?
  • In reply to AshSyed:

    Question: Do you need to create an already approved and assigned request or do you want to create just a normal one?

    If it should be just a normal request you should create a normal PersonWantsOrg object, assign all properties and save it. Than you have an order like in the web-portal.

    The FillOrder method is required to create a PwO e.g. in state "Assigned". Its designed for an initial load of the IT Shop so, that user do not need to order all their existing products.

    The FillOrder method is also meant to be executed by the JobService. If you start the script directly over the API, the system user used to authenticate needs to  be marked with IsServiceAccount=1.

  • In reply to Markus Weiss-Ehlers:

    Thanks for the response again Markus
    We will from now on create a normal PersonWantsOrg object and not use the FillOrder method. Previously we thought without using FillOrder an approval would not be triggered.

    The last point of setting IsServiceAccount = 1 would not work for our use case as the person who initially authenticates with the Application server is of Employee type and not System user. But this information is useful nonetheless for future reference.

    Thanks again.
    Ash
  • In reply to Markus Weiss-Ehlers:

    Hi again Markus, (Im sure you're already sick of me :P )

    Instead of using the script we are now creating a request directly via the API by creating a record within the PersonWantsOrg table.

    We try a Post request to the PersonWantsOrg table with the following example body:
    {
    "values": {
    "UID_Org": " 5c490797-b3ae-47c5-b2da-f1bc0e9ab675",
    "UID_PersonInserted":"8e93db71-7dc8-4f7f-bb2e-66c1951e85a3",
    "UID_PersonOrdered": "8e93db71-7dc8-4f7f-bb2e-66c1951e85a3",
    "OrderReason":"Test request via api"
    }
    }

    but receive the following error:

    "responseStatus": {
    "message": "This employee Syed, Ashhad (ASHHADS) is not authorized to make requests at this point."
    }

    "number": 2133173



    I had a quick look through the program functions but I can't seem to find any obvious named ones that would allow a user to create a record in the database via the frontend (rest api).

    Any help is as always greatly appreciated.

    Ash

  • In reply to AshSyed:

    Hi Ash,

    Have you verified that you can make/raise the same request for the same product by the same person directly in the IT Shop?

    I have recently seen the exact same error on my current project because the product was marked as 'not available' in Manager.

    HTH, Barry.
  • In reply to Barry Jackson:

    +1

    And Ash, next time please open another thread as you last post is not related to the original topic of this thread and the thread was already answered. This would help other people finding your question, when they have the same issue.

    Thank you
  • In reply to Barry Jackson:

    Hi Barry,

    Thanks for the reply, I just checked and in fact 'Not Available' is not marked.
    So at least in my case this is not the issue.

    The person can request this product via the web portal or via the script thats mentioned at the beginning of this thread but doesnt seem to be able to via the RESTful API call.


    Thanks again for your answer though.

     

    Ash