After some time in this community, I asking my first question.
This may eventually finish as a support case but was wondering if any have encountered the same before and get around of it.
I moving more and more previous SOAP integration to use REST but problem is that I always receive a:
HTTP/1.1 401 UnauthorizedServer: Apache-Coyote/1.1Date: Mon, 23 Oct 2017 07:56:35 GMTContent-Type: application/xmlContent-Length: 71
This operation requires Function Access for 'admin' equal to 'Modify'.
when I try to delete a existing valid access_key what ever level permissions the user calling the rest API have and of course the key remain valid until expiration.
My test scenario is using SOAPUI and basic authentication (with full admin access type) to get the access key and just call a new operation to delete right after:
Note that I have the same error when trying to use PUT to modify the expiration date.
Must not be the fist one encountering this issue so looking forward for your input.
Have a look at what is documented here:
REST HTTP Methods - CA Service Management - 17.0 - CA Technologies Documentation
Somewhere they talk about 'REST_OPERATIONS' which determines what operations can be performed on objects.
Perhaps this can lead you in a positive direction?
Thanks Brian, and yes I have read the doc
rest_access resourceThe rest_access resource contains REST API access information for the authenticated users. It is an administrative table and contains the list of users allowed through the REST API.The following list shows the deviations from the default behavior:POSTCreates a REST access object and returns access key, secret key and expiration date as part of default values.GETRetrieves REST access information (except for secret key).DELETEDeletes the REST access object.PUTDoes not allow updates to secret_key, access_key, and contact due to the Majic WRITE_NEW property. --------- This REST API example demonstrates how to delete a CA SDM access key.The following example shows the request:DELETE /caisd-rest/rest_access/1201703106 HTTP/1.1 Host: hostnameThe following example shows the response:HTTP/1.1 204 No Content Content-Type: application/xml;charset=UTF-8 Content-Length: 0
The rest_access resource contains REST API access information for the authenticated users. It is an administrative table and contains the list of users allowed through the REST API.
The following list shows the deviations from the default behavior:
This REST API example demonstrates how to delete a CA SDM access key.
The following example shows the request:
DELETE /caisd-rest/rest_access/1201703106 HTTP/1.1 Host: hostname
The following example shows the response:
HTTP/1.1 204 No Content Content-Type: application/xml;charset=UTF-8 Content-Length: 0
I do also have verify with bop_sinfo that the REST OPERATION was available there
I understand this is confusing but, the access key is not actually the id of the row. In this situation the id of the row is:
You can see this on the first line of the login response. When you use that as the id and the access key as the X-AccessKey you should be able to delete it and it should respond with a 204. Please let me know if that works for you. Also notice if you call it again after 204 it returns 500 which you will see in the logs you have an invalid X-AccessKey.
Hi Antony and thanks for your reply.
Fully agree that this is confusing specially when the documentation show an access_key in the example as you can review there: https://docops.ca.com/ca-service-management/17-0/en/reference/ca-service-desk-manager-reference-commands/technical-reference/rest-http-methods#RESTHTTPMethods-ExampleDeleteanAccessKey
That say using the id was my first thought too to test after the access_key itself was failing however this is not the problem as I get exactly the same error when using the id or at less the error code is misleading.
Note that as mentioned a PUT operation to update the expiration_date give the same error and I have no problem with any other objects.
I am matching your headers the best I can but, I can't see what the full Content-Type is.
Edit: Nevermind I'm probably unable to reproduce it due to my Function Access having 'Modify'. Let me check.
Edit2: I am unable to reproduce it. What version of SDM are you using including patch level?
I do also have modify to all avaiable functional access either if none relate directly to REST.
Test was on 14.1 CP4
Will try on a 12.9 and 17 when back to office to see if can reproduce there too
I have been testing on Rollup #1 and seems to work. Any chance you would be able to upgrade to Rollup #1?
Are you saying that in 14.1.04 you have Function Access Administration set to Modify for the REST API Role being used by an access type that you are testing, and its still giving you the permissions error?
Here's my testing so far with 14.1.04 ->
ServiceDesk account had Admin access type with REST API Role to Administrator role.
POST /caisd-rest/rest_access HTTP/1.1Authorization: Basic c2VydmljZWRlc2s6aW50ZXJPUEAxMjM=Content-Type: application/xmlCache-Control: no-cache
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><rest_access id="400653" REL_ATTR="400653" COMMON_NAME="433957245"> <link href="https://******:58553/caisd-rest/rest_access/400653" rel="self"/> <access_key>433957245</access_key> <expiration_date>1509397874</expiration_date></rest_access>
I could delete that fine
DELETE /caisd-rest/rest_access/400653 HTTP/1.1X-AccessKey: 433957245Content-Type: application/xmlCache-Control: no-cache
No problems there.
I made the REST API role for admin access type to L1 Analyst. Repeated the above (with new X-AccessKey / rest_access id of course) and I get the behavior you mentioned:
10/23 17:11:30.552 [http-bio-58553-exec-10] ERROR SDMCRUDServiceImpl 788 This operation requires Function Access for 'admin' equal to 'Modify'.
I changed the function access Admin to modify on the L1 Analyst Role and the error disappeared and I'm able to delete the rest_access keys now.
I'm wondering if there's some data partitions or some custom roles that are causing this side impact for you...
Hi Ragu yes this is correct
The user doing the rest call have full admin access type and corresponding modify on the admin functional access but I get the error.
I did try the same on production instance this morning and I have no problem to delete the key there so trying to identify the difference between the two now.
Interestingly in Rollup#1 even with the Employee role I am able to delete my rest_access with admin set to None which I would expect since anyone should be able to log themselves out. Which brings me to an interesting question what if I was to try and log someone else out even though I had admin set to none and as expected it can't log them out. To add to this I tried again with Admin set to Modify and I was able to log out other users. To me this is how I expect it to work. So if what you are seeing in CUM#4 is actually true and you can't log yourself out without Modify for admin it looks like something was changed in Rollup#1.
yea you're right.... looks like Employee access type works, but when you go to Analyst, it expects something else.
Seems a bit odd.
Finally make it to work and this was my bad on different access type between dev and prod..
Thanks everyone for you time there anyway.
Hi Jerome, just saw this post and learnt that you are moving your integrations from SOAP to REST. Great news for me i suppose . I'm running 14.1. CU 3 on Windows R2 2012
Have you done any integration to add activity log in an Incident or Request ticket? I tried it, but not sure how the XML would be formed. The sample code has example only for Change.
GET on /caisd-rest/chgalg
"<chgalg>" + "<type REL_ATTR=\"LOG\"/>" + "<change_id REL_ATTR=\"400001\"/>" + "<description>Activity Log created from REST API Java Samples code</description>" + "</chgalg>"
Raghu.Rudraraju - you inputs would help too.
Try the below
GET on /caisd-rest/algPAYLOAD: "<alg>" + "<type REL_ATTR=\"LOG\"/>" + "<change_id REL_ATTR=\"400001\"/>" + "<description>Activity Log created from REST API Java Samples code</description>" + "</alg>"
GET on /caisd-rest/alg
"<alg>" + "<type REL_ATTR=\"LOG\"/>" + "<change_id REL_ATTR=\"400001\"/>" + "<description>Activity Log created from REST API Java Samples code</description>" + "</alg>"
Hope this helps?
Thanks .. so no change in the ["<change_id REL_ATTR=\"400001\"/>"] change_id tag for Incident or Request?
see the body example below:
$data ='<alg>'; $data .='<analyst COMMON_NAME="'.$customer.'"/>'; $data .='<call_req_id REL_ATTR="'.$cr_persid.'"/>'; $data .='<type REL_ATTR="'.$log_type.'"/>'; $data .='<description>'.$description.'</description>'; $data .='</alg>';
Not a java example but give you the way
Hope this help
Cool thanks.. I'll try this asap and revert! I was missing the call_req_id tag.
It is working now, thanks Jerome and Brian! Also tested that analyst is not mandatory. If not passed, system will take the user using which rest access key was generated!