Why Do I Get an Access Denied Error for an API Method Call?
Symptoms
During application runtime, one of these exceptions occurs:
Access Denied. This action requires access right of 'Mark Automatic Work Item Completion'
Access Denied. This action requires access right of 'Allow to execute QueryDatabase() and QueryDatabaseEx()'
Access Denied. This action requires access right of 'Save or Remove Temporary File'
Cause
This exception occurs under these conditions:
- AgilePoint NX OnPremises or AgilePoint NX Private Cloud.
- In the AgilePoint Server
netflow.cfg file, trustedAuthorization is set to False.
By default, trustedAuthorization is set to True.
- One of these API methods executes, but the associated
access right
is deselected (disabled) for all
roles assigned to
the API authentication account:
Method Name Access Control Description CompleteProcedure() Mark Automatic Work Item Completion If trustedAuthorization is set to False, and the Mark Automatic Work Item Completion access right is deselected for all roles assigned to the API authentication account, this account can not make API method calls for Complete Procedure. QueryDatabase() Allow to Execute QueryDatabase() and QueryDatabaseEx() If trustedAuthorization is set to False, and the Allow to Execute QueryDatabase() and QueryDatabaseEx() access right is deselected for all roles assigned to the API authentication account, this account can not make API method calls for Query Database. QueryDatabaseEx() Allow to Execute QueryDatabase() and QueryDatabaseEx() If trustedAuthorization is set to False, and the Allow to Execute QueryDatabase() and QueryDatabaseEx() access right is deselected for all roles assigned to the API authentication account, this account can not make API method calls for Query Database (Extended Method). SaveTemporaryFile() Save, Remove Temporary File If trustedAuthorization is set to False, and the Save, Remove Temporary File access right is deselected for all roles assigned to the API authentication account, this account can not make API method calls for Save Temporary File. RemoveTemporaryFile() Save, Remove Temporary File If trustedAuthorization is set to False, and the Save, Remove Temporary File access right is deselected for all roles assigned to the API authentication account, this account can not make API method calls for Remove Temporary File.
There are 2 ways to resolve this issue. You can either turn on trustedAuthorization, or you can enable the necessary access controls for a role associated with the API authentication account. It is not necessary to do both procedures.
Resolution Option 1: Turn on trustedAuthorization
To turn on trustedAuthorization, do this procedure, do the procedure in this topic.
How to Start
- On the AgilePoint Server machine, in a text editor, open the file netflow.cfg.
Procedure
- In the trustedAuthorization attribute, change the value to True.
Field Name Definition trustedAuthorization
- Function:
- Specifies whether API calls are trusted. If this setting is turned off, API calls
that can pose special security risks require additional
access rights
for
authorization.
By default, this setting is configured as True (turned on). However, if your organization does not use APIs to access AgilePoint NX, or you want to restrict the access these specific methods due to security risks, you can configure this setting to False.
- Accepted Values:
-
- True - The API authentication account
does not require a role with special
access controls for any API methods, other than the access controls
that are normally required to make API calls.
This setting means that API calls are made from a trusted system.
- False - These API methods are restricted:
- Complete Procedure
- Save Temporary File
- Remove Temporary File
- Query Database
- Query Database (Extended)
If trustedAuthorization is set to False, these methods can be enabled individually with access controls. For complete information, including settings, access controls, and troubleshooting, refer to Why Do I Get an Access Denied Error for an API Method Call?.
- True - The API authentication account
does not require a role with special
access controls for any API methods, other than the access controls
that are normally required to make API calls.
- Default Value:
- True
- Example:
- <server trustedAuthorization="False" ... />
Resolution Option 2: Enable Access Controls
To enable the access rights for the API methods that are restricted with trustedAuthorization is turned off, do the procedure in this topic.
Good to Know
- The appropriate access rights must be enabled for a role that is associated with the API authentication account. You can either change an existing role, or you can create a role specifically for this purpose, and then add the role to the API user. This procedure assumes you want to add this access control to an existing role.
For more information, refer to:
How to Start
- In the Manage Center, click Access Control > Roles.
- On the Roles screen, select a role associated with the API authentication account, and click Expand.
- Click Edit .
- Click the Access Rights tab.
Procedure
- Do one or more of these procedures to enable the access controls you want:
- To enable the Complete Procedure method:
- Click the Process tab.
- Select Mark Automatic Work Item Completion.
Field Name Definition Complete System Activities (Automated Tasks)
- Function:
- Specifies whether the Complete Automatic Work Item and Complete Procedure API methods can execute if trustedAuthorization is set to False on the AgilePoint Server.
- Limitations:
- This access right only applies in these conditions:
- AgilePoint NX OnPremises or AgilePoint NX Private Cloud.
- In the AgilePoint Server netflow.cfg file,
trustedAuthorization is set to False.
By default, trustedAuthorization is set to True. As such, this access control only applies if this configuration setting is changed on the AgilePoint Server.
- A system activity
or custom AgilePart runs.
More specifically, this access control tends to affect asynchronous type system activities, which must wait for input from an external system, such as a database or cloud-based service. If both trustedAuthorization and the Mark Automatic Work Item Completion access control are turned off (deselected or set to False), and the Complete Automatic Work Item method is called (usually from an API application), asynchronous activities may throw an Access Denied exception.
- System activities do not require intervention from human users. Therefore, this access control usually applies to either a user account associated with an API method call, or the AgilePoint Service Account. The Service Account is sometimes also used for API applications.
- Accepted Values:
- Selected - If trustedAuthorization is
set to False, the Complete Automatic Work Item API method can execute.
This setting has no effect in these cases:
- trustedAuthorization is set to True
- A human task activity or AgileWork runs
- Deselected - If trustedAuthorization is
set to False, access to the Complete Automatic Work Item API method
is denied.
For more information, refer to Why Do I Get an Access Denied Error for an API Method Call?
- Selected - If trustedAuthorization is
set to False, the Complete Automatic Work Item API method can execute.
- Default Value:
- Deselected
- To enable the Query Database and Query Database (Extended) methods:
- Click the Process tab.
- Select Allow to Execute QueryDatabase() and QueryDatabaseEx().
Field Name Definition Allow to Execute QueryDatabase() and QueryDatabaseEx()
- Function:
- Specifies whether the Query Database and Query Database (Extended Method) API methods can execute if trustedAuthorization is set to False on the AgilePoint Server.
- Limitations:
- This access right only applies in these conditions:
- AgilePoint NX OnPremises or AgilePoint NX Private Cloud.
- In the AgilePoint Server netflow.cfg file,
trustedAuthorization is set to False.
By default, trustedAuthorization is set to True. As such, this access control only applies if this configuration setting is changed on the AgilePoint Server.
- Accepted Values:
- Selected - If trustedAuthorization is
set to False,
the Query Database and Query Database (Extended Method) API method can execute.
This setting has no effect in these cases:
- trustedAuthorization is set to True
- A human task activity or AgileWork runs.
- Deselected - If trustedAuthorization is
set to False,
access to the Query Database and Query Database (Extended Method) API method
is denied.
For more information, refer to Why Do I Get an Access Denied Error for an API Method Call?
- Selected - If trustedAuthorization is
set to False,
the Query Database and Query Database (Extended Method) API method can execute.
- Default Value:
- Deselected
- To enable the Save Temporary File method:
- Click the Applicaiton Builder tab.
- Select Save, Remove Temporary File.
Field Name Definition Save and Remove Temporary Files (API)
- Function:
- Specifies whether the Save Temporary File and Remove Temporary File API methods can execute if trustedAuthorization is set to False on the AgilePoint Server.
- Limitations:
- This access right only applies in these conditions:
- AgilePoint NX OnPremises or AgilePoint NX Private Cloud.
- In the AgilePoint Server netflow.cfg file,
trustedAuthorization is set to False.
By default, trustedAuthorization is set to True. As such, this access control only applies if this configuration setting is changed on the AgilePoint Server.
- Accepted Values:
- Selected - If trustedAuthorization is
set to False,
the Save Temporary File and Remove Temporary File API method can execute.
This setting has no effect in these cases:
- trustedAuthorization is set to True
- Deselected - If trustedAuthorization is
set to False,
access to the Save Temporary File and Remove Temporary File API method
is denied.
For more information, refer to Why Do I Get an Access Denied Error for an API Method Call?
- Selected - If trustedAuthorization is
set to False,
the Save Temporary File and Remove Temporary File API method can execute.
- Default Value:
- Deselected
- To enable the Complete Procedure method:
Related Topics
- AgilePoint Server Configuration in netflow.cfg - trustedAuthorization configuration.
- Edit Role > Access Rights > Apps tab - Mark Automatic Work Item Completion access control.
- Add Role > Configure Access Rights > App Builder tab - Save, Remove Temporary File and Allow to Execute QueryDatabase() and QueryDatabaseEx() access controls.
- Complete Automatic Work Item (Task) - REST API method.
- Query Database - REST API method.
- Query Database - Web Services API method.
- Complete Procedure - Web Services API method.
- Query Database (Extended Method) - Web Services API method.