CA Service Management

 View Only
Expand all | Collapse all

SDM 14.1 REST API - Delete access_key

  • 1.  SDM 14.1 REST API - Delete access_key

    Posted Oct 23, 2017 04:44 AM

    Hello everyone,

    After some time in this community, I asking my first question.

    This may eventually finish as a support case but was wondering if any have encountered the same before and get around of it.

    I moving more and more previous SOAP integration to use REST but problem is that I always receive a:

    HTTP/1.1 401 Unauthorized
    Server: Apache-Coyote/1.1
    Date: Mon, 23 Oct 2017 07:56:35 GMT
    Content-Type: application/xml
    Content-Length: 71

    This operation requires Function Access for 'admin' equal to 'Modify'.

    when I try to delete a existing valid access_key what ever level permissions the user calling the rest API have and of course the key remain valid until expiration.

    My test scenario is using SOAPUI and basic authentication (with full admin access type) to get the access key and just call a new operation to delete right after:

     

     

    Note that I have the same error when trying to use PUT to modify the expiration date.

    Must not be the fist one encountering this issue so looking forward for your input.

     

    /J



  • 2.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 23, 2017 07:38 AM

    Hi Jerome,

     

    Have a look at what is documented here:

     

    REST HTTP Methods - CA Service Management - 17.0 - CA Technologies Documentation 

     

    Somewhere they talk about 'REST_OPERATIONS' which determines what operations can be performed on objects.

     

    Perhaps this can lead you in a positive direction?

     

    ===

    Kind Regards,

    Brian



  • 3.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 23, 2017 01:02 PM

    Thanks Brian, and yes I have read the doc

    rest_access resource

    The rest_access resource contains REST API access information for the authenticated users. It is an administrative table and contains the list of users allowed through the REST API.

    The following list shows the deviations from the default behavior:

    • POST
      Creates a REST access object and returns access key, secret key and expiration date as part of default values.
    • GET
      Retrieves REST access information (except for secret key).
    • DELETE
      Deletes the REST access object.
    • PUT
      Does not allow updates to secret_key, access_key, and contact due to the Majic WRITE_NEW property.

     

    ---------

     

    This REST API example demonstrates how to delete a CA SDM access key.

    The following example shows the request:

    DELETE /caisd-rest/rest_access/1201703106 HTTP/1.1 Host: hostname


    The following example shows the response:

    HTTP/1.1 204 No Content Content-Type: application/xml;charset=UTF-8 Content-Length: 0

    I do also have verify with bop_sinfo that the REST OPERATION was available there

    Thanks

    /J



  • 4.  Re: SDM 14.1 REST API - Delete access_key
    Best Answer

    Posted Oct 23, 2017 09:34 AM

    Hi Jerome,

     

    I understand this is confusing but, the access key is not actually the id of the row. In this situation the id of the row is:

     

    405339

     

    You can see this on the first line of the login response. When you use that as the id and the access key as the X-AccessKey you should be able to delete it and it should respond with a 204. Please let me know if that works for you. Also notice if you call it again after 204 it returns 500 which you will see in the logs you have an invalid X-AccessKey.



  • 5.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 23, 2017 12:56 PM

    Hi Antony and thanks for your reply.

     

    Fully agree that this is confusing specially when the documentation show an access_key in the example as you can review there: https://docops.ca.com/ca-service-management/17-0/en/reference/ca-service-desk-manager-reference-commands/technical-reference/rest-http-methods#RESTHTTPMethods-ExampleDeleteanAccessKey

     

    That say using the id was my first thought too to test after the access_key itself was failing however this is not the problem as I get exactly the same error when using the id or at less the error code is misleading.

    Note that as mentioned a PUT operation to update the expiration_date give the same error and I have no problem with any other objects.

     

    /J



  • 6.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 23, 2017 01:58 PM

    I am matching your headers the best I can but, I can't see what the full Content-Type is.

     

    Edit: Nevermind I'm probably unable to reproduce it due to my Function Access having 'Modify'. Let me check.

     

    Edit2: I am unable to reproduce it. What version of SDM are you using including patch level?



  • 7.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 23, 2017 02:24 PM

    Hi,

    I do also have modify to all avaiable functional access either if none relate directly to REST.

    Test was on 14.1 CP4

    Will try on a 12.9 and 17 when back to office to see if can reproduce there too

    /J



  • 8.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 23, 2017 05:00 PM

    I have been testing on Rollup #1 and seems to work. Any chance you would be able to upgrade to Rollup #1?



  • 9.  Re: SDM 14.1 REST API - Delete access_key

    Broadcom Employee
    Posted Oct 23, 2017 05:22 PM

    Hey Jerome,

     

    Are you saying that in 14.1.04  you have Function Access Administration set to Modify  for the REST API Role being used by an access type that you are testing, and its still giving you the permissions error?

     

    Here's my testing so far with 14.1.04 -> 

    ServiceDesk account had Admin access type with REST API Role to Administrator role. 

     

    POST /caisd-rest/rest_access HTTP/1.1
    Authorization: Basic c2VydmljZWRlc2s6aW50ZXJPUEAxMjM=
    Content-Type: application/xml
    Cache-Control: no-cache

    <rest_access></rest_access>

     

    Response:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <rest_access id="400653" REL_ATTR="400653" COMMON_NAME="433957245">
    <link href="https://******:58553/caisd-rest/rest_access/400653" rel="self"/>
    <access_key>433957245</access_key>
    <expiration_date>1509397874</expiration_date>
    </rest_access>

     

    I could delete that fine

     

    DELETE /caisd-rest/rest_access/400653 HTTP/1.1
    X-AccessKey: 433957245
    Content-Type: application/xml
    Cache-Control: no-cache

    <rest_access>
    </rest_access>

     

     

    No problems there.

     

     

    I made the REST API role for admin access type to  L1 Analyst.  Repeated the above (with new X-AccessKey / rest_access id of course) and I get the behavior you mentioned:

     

    10/23 17:11:30.552 [http-bio-58553-exec-10] ERROR SDMCRUDServiceImpl 788 This operation requires Function Access for 'admin' equal to 'Modify'.

     

    I changed the function access Admin to modify on the L1 Analyst Role   and the error disappeared and I'm able to delete the rest_access keys now.

     

     

    I'm wondering if there's some data partitions or some custom roles that are causing this side impact for you...

     

     

    _R



  • 10.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 24, 2017 06:13 AM

    Hi Ragu yes this is correct

    The user doing the rest call have full admin access type and corresponding modify on the admin functional access but I get the error.

    I did try the same on production instance this morning and I have no problem to delete the key there so trying to identify the difference between the two now.

     

    response:

    DateTue, 24 Oct 2017 10:06:54 GMT
    #status#HTTP/1.1 204 No Content
    Server

    Apache-Coyote/1.



  • 11.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 24, 2017 09:30 AM

    Hi Raghu,

     

    Interestingly in Rollup#1 even with the Employee role I am able to delete my rest_access with admin set to None which I would expect since anyone should be able to log themselves out. Which brings me to an interesting question what if I was to try and log someone else out even though I had admin set to none and as expected it can't log them out. To add to this I tried again with Admin set to Modify and I was able to log out other users. To me this is how I expect it to work. So if what you are seeing in CUM#4 is actually true and you can't log yourself out without Modify for admin it looks like something was changed in Rollup#1.



  • 12.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 24, 2017 09:34 AM

    Interesting...



  • 13.  Re: SDM 14.1 REST API - Delete access_key

    Broadcom Employee
    Posted Oct 24, 2017 01:14 PM

    yea you're right....   looks like Employee access type works, but when you go to Analyst, it expects something else. 

     

    Seems a bit odd.

     

    _R



  • 14.  Re: SDM 14.1 REST API - Delete access_key

    Posted Oct 26, 2017 08:41 AM

    Finally make it to work and this was my bad on different access type between dev and prod..

    Thanks everyone for you time there anyway.

    /J



  • 15.  Re: SDM 14.1 REST API - Delete access_key

    Posted Nov 15, 2017 04:40 AM

    Hi Jerome, just saw this post and learnt that you are moving your integrations from SOAP to REST. Great news for me i suppose . I'm running 14.1. CU 3 on Windows R2 2012

     

    Have you done any integration to add activity log in an Incident or Request ticket? I tried it, but not sure how the XML would be formed. The sample code has example only for Change. 

    GET on /caisd-rest/chgalg

    PAYLOAD: 

    "<chgalg>" +
    "<type REL_ATTR=\"LOG\"/>" +
    "<change_id REL_ATTR=\"400001\"/>" +
    "<description>Activity Log created from REST API Java Samples code</description>" +
    "</chgalg>"

     

    Raghu.Rudraraju - you inputs would help too.

     

    Thanks!

    Abhishek



  • 16.  Re: SDM 14.1 REST API - Delete access_key

    Posted Nov 15, 2017 04:46 AM

    Hi Abhishek,

     

    Try the below

     

    GET on /caisd-rest/alg

    PAYLOAD: 

    "<alg>" +
    "<type REL_ATTR=\"LOG\"/>" +
    "<change_id REL_ATTR=\"400001\"/>" +
    "<description>Activity Log created from REST API Java Samples code</description>" +
    "</alg>"

     

    Hope this helps?

     

    ===

    Kind Regards,

    Brian



  • 17.  Re: SDM 14.1 REST API - Delete access_key

    Posted Nov 15, 2017 04:51 AM

    Thanks .. so no change in the ["<change_id REL_ATTR=\"400001\"/>"] change_id tag for Incident or Request?



  • 18.  Re: SDM 14.1 REST API - Delete access_key

    Posted Nov 15, 2017 05:03 AM

    see the body example below:

     

     $data ='<alg>';
      $data .='<analyst COMMON_NAME="'.$customer.'"/>';
      $data .='<call_req_id REL_ATTR="'.$cr_persid.'"/>';
      $data .='<type REL_ATTR="'.$log_type.'"/>';
      $data .='<description>'.$description.'</description>';
      $data .='</alg>';

     Not a java example but give you the way

    Hope this help

    /J



  • 19.  Re: SDM 14.1 REST API - Delete access_key

    Posted Nov 15, 2017 05:07 AM

    Cool thanks.. I'll try this asap and revert! I was missing the call_req_id tag.

     

    GET on /caisd-rest/alg

    PAYLOAD:

     $data ='<alg>';
      $data .='<analyst COMMON_NAME="'.$customer.'"/>';
      $data .='<call_req_id REL_ATTR="'.$cr_persid.'"/>';
      $data .='<type REL_ATTR="'.$log_type.'"/>';
      $data .='<description>'.$description.'</description>';
      $data .='</alg>';



  • 20.  Re: SDM 14.1 REST API - Delete access_key

    Posted Nov 17, 2017 03:14 AM

    It is working now, thanks Jerome and Brian! Also tested that analyst is not mandatory. If not passed, system will take the user using which rest access key was generated!