Rally Software

Hi!
I am able to create e.g. Defects via the Web Services API.
When I try to create a Project I always receive the error "Not authorized to create: Project".

Interestingly I can create Projects via the Agile Central GUI without any Problem.

Any hints on what is going on here would be greatly appreciated!
Regards,

Hans

Hi Hans,

Creating projects is only possible for Subscription Admins or Workspace Admins, see:

Set Up Your Teams | CA Agile Central Help 

Considering you are able to create a project from the GUI then you probably are either a sub-admin or a workspace-admin.  Can you please confirm that?

The only explanation why you may get a Not Authorized error from the WS-API is either if you:

- Are using API Keys of another user who isn't a sub-admin or workspace-admin.

- Not using API Keys at all.

Please let us know if that helped.

Thanks,

Sagi

Hi Sagi!

Thank You very much for Your reply!

I am able to create projects from within this GUI:

In the list of all projects I can see that I am "Project Admin" not a "Subscription Admin" and I dont think that I am an "Workspace Admin" either:

I tried using an API Key which I had created with my user in Application Manager and also via OAuth using an "access token". Both operations return the rerror "Not authorized to create: Project".

Do You have any further hint on how to solve this problem `?

Thank You in advance!

Regards,

Hans

Hi Hans,

Yes, indeed it seems you are a Project Admin (not a Workspace or a Subscrption Admin). The projects you can create in the GUI are only Children projects to the project you're administering (as you can tell by the menu screen shot you shared).

I suspect that the authorization error you're receiving with the API is because you're attempting to create a project which isn't a child project to your own. 

I believe you will need to include the 'Parent' field and set it to your own project when trying to create a project using the API, that will make it be a child project to your own and for that you should be authorized.

Please let me know if that helped you resolve. If not, then we'll need to get your actual data and see what it is. I assume that at that point you will not want to provide that data here in the community so please let me know and I'll create a support case and continue working with you.

Yet, please try setting the Parent first, it may help you resolve.

Thanks,

Sagi

Hi Sagi!

Thanx for Your support!

I am sorry that I forgot to mention, that I am alreday sending the "Parent" field within my request-body:

{
"Project": {
"Name": "NEW pesha test project",
"Parent": "/project/238*********",
"Owner": "/user/141*********",
"Workspace":"/workspace/376xxxxxxxx"
}
}

I tried using an API Key and also an OAuthn access token, both return the mentioned error.

I am also in contact with Michael Bulkeley and showed Him my unsuccessful Postman attempts.

Please let me know if I should forward my complete request body to You.

Best regards,

Hans

Hans and Sagi_Gabay,

After meeting with Hans and doing some testing, I believe this is a Defect.  I will file the Defect with the information I have and we'll go from their.  Also, if morky01 has any thoughts on what may be happening, he can add it.

Thanks!

Michael

Hans, Michael:

It's a little complicated, so I hope I can explain this well.

I did try to work this out. What I found is this:

When using a API Key of a Sub-Admin then I can create the project. When I'm using the API Key of a Project Admin then I get a 401 Unauthorized error.

By the way, even when I can create the project , using the Sub-Admin Key, I do need to provide a State field (value: "Open" or "Close") for the project's state. I only mention that cause in your previous JSON snippet it's missing.

Now, when I create the project using the Sub-Admin key, I can set the owner to be the Project Admin username. I will then see the project when logged on as the sub-admin and the owner is the project-admin. Yet, when logged on as the project-admin , I do not see the project. The reason is that we need to Authorize the user and give it a permission with the new project.

When you create a new project from the UI then you have the option to copy users with their permissions, also you have the button to add new/existing users to the project which essentially creates that permissions.

The permission is stored in a separate API object called: "Project Permission" (you can see it in the WSAPI object mode), and so creating the "project" object does not create the "ProjectPermission". So, even when the sub-admin's api-key creates the project and even if setting the project-admin username to be 'owner' the user is still not permitted to this project.

If I then issue a subsequent call using PostMan, and create a ProjectPermission endpoint object associating the username with this new project - then all works. At that point, I can see the project when logged on as the project-admin username.

So here are all the issues around all of this:

1. First, I couldn't find a way in postman to create a 'project' along with 'ProjectPermission' in a single Post/Put command. Perhaps it's possible, but I didn't find such a way. The challenge here is that you need to create the project first to get the ObjectID so that you can use it as a reference in the ProjectPermission. This suggests two transactions. When done in two separate calls , as said , it works. I tried to combine the JSON structure of the two calls into a single one, hoping to create the project and permissions in a single call , it didn't work.

2. Second, going back to what I wrote at the top that when using the Project Admin's api-key then I'm getting a 401 Unauthorized. It seems that the api-key isn't able to create a project even without any permissions. This seems to be a product issue.

morky01 , 

Hopefully you can help us with regard to both these points:

- Is there a way to create a project along with permissions (even if the sub-admin is the creator) ?

- Is it by-design that the project-admin api-key (generated with Full Access) is unable to create even an initial project without permissions?

By the way, it may be the a workspace-admin is behaving like the sub-admin, I didn't try yet. I'll try a workspace-admin api-key as well and let you know.

Thanks,

Sagi 

I just tried with a Workspace Admin api-key. It seems it behaves like the sub-admin , so it works, creates the project, but yet the project-permission needs to be created separately.

As for the project-admin's api-key: It's not a 401 authorization code that I'm getting. I'm actually getting a 200 success return code, but the error seems like an actual Rally application error, it must be a product issue:

Sagi

Hi Sagi, bulmi01!

Thank You for Your efforts and support!

From what You wrote I understand that this problem is probably related to a Bug in Rally.

Obviously there also needs to be a projectpermission object for the owner created, when a new project is created.
This implict action seems to be missing.

I am also in contact with garja11 and he is looking into this issue.

Thanks!

Regards,
Hans