Saviynt Forums

MarkHancock · ‎10/10/2022

Hi,

Should it be possible to access the EIC REST API as a user that doesn't have the ROLE_ADMIN SAV Role?

I only want the user to be able to list users, create users, and update users. If I give the user the ROLE_ADMIN SAV role it works, everything else I've tried fails with a "403 – Forbidden" error. (Note: Authentication works and I can get the access token, it is subsequent requests I can a 403 error.)

In the end I copied the ROLE_ADMIN role exactly and gave this to the user but it still doesn't work.

I also tried setting the "Restrict API access based on SAV Role" settings under "API Configurations" to TRUE then FALSE but this didn't make any difference. (I'm not sure what this setting is even supposed to do.)

rushikeshvartak · ‎10/10/2022

You can create custom SAV Role with required Web Service Access.

if you already created please share screenshot of access added.

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

MarkHancock · ‎10/12/2022

I had already added all 323 entries and it still didn't work. Screen shot showing all 323 entries and pop-up showing there are no more I can add:

When I authenticate to the API I can see the user has the right role (ROLE_ADMIN -COPY):

"username": "servicenoweciapi",

"roles": [

"ROLE_ADMIN -COPY",

"ROLE_SAV_ENDUSER",

"ROLE_SERVICENOW"

],

The first entry I can see in the logs is the 403 response:

2022-10-12T08:19:46.324304647Z stdout F 212.229.164.165 - - [12/Oct/2022:08:19:46 +0000] "GET /ECM/api/v5/user?q=accountExpired:0 HTTP/1.1" 403 431 "-" "PostmanRuntime/7.29.2" 2793 0.008 [default-ecm-8080] [] 192.86.0.93:8080 431 0.008 403 e0c3b42ce389bba7df00dd4d025e2168

rushikeshvartak · ‎10/12/2022

Try keeping only one custom role to user

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

MarkHancock · ‎10/12/2022

Same error with:

"username": "servicenoweciapi",

"roles": [

"ROLE_ADMIN -COPY"

],

This is the response I get in Postman:

<!doctype html><html lang="en"><head><title>HTTP Status 403 – Forbidden</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1></body></html>

rushikeshvartak · ‎10/12/2022

Please share transport zip

i know web access api are not exported but need to validate

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

MarkHancock · ‎10/12/2022

Attached.

MarkHancock · ‎10/31/2022

This has sorted itself out. It looks like there might be some caching going on as it suddenly started working, then when I changed the "Web Service Access" list the changes didn't take effect until an application reset.

Saviynt Forums

Access EIC REST API as user without ROLE_ADMIN