OSLC API Rest permission vs Project Admin Access Permission
6 answers
The "user" for APIs must (non-optional!) have a license for the application and if not JazzAdmin/ProjectAdmin then they must have permission to access, e.g. if Access Control is set to default "Members of the Project Area hierarchy" then by being a member of the project or having Access Control set differently then that controls their access.
- Read access to artifacts owned by a project area. These are determined by the project area permissions. For example, a common setting is to restrict access to members of the project area.
- Process permissions associated with roles granted to a user. These are associated with operations performed on artifacts. In general, if you don't have read access to an artifact, you won't be able to perform any actions on it.
Comments
The project admin who owns the project area provided access to me and I am able to run my APIs successfully. The same APIs are throwing access issues to the project project admin. Why the project area owner cannot access APIs?
Check what the project admin's role in the project permits (compared to what your role in the project permits) that is David's point 2
A project area admin only has permission to change the project area properties. It does not, by itself, affect read access or process permissions for operations on artifacts owned by that project area.
With respect to what a user can see and do, a lot of users have a big misconception about administrative stuff.
The ProjectAreaAdmin repository role only has the administrative override capability to create and manage project areas and create and give themselves roles. Unlike the JazzAdmin repository role it does not give visibility to all data. This repository role exists so that someone can create and manage project areas without full administrative access.
So forget the repository role if you look at which user can access or see what. Unless you have the JazzAdmin repository role, you might not be able to see all data because ownership and visibility applies to you.
Also note that SCM data is accessible across project areas and has its own ownership and visibility. You might be member of a project area, but would still have no access to certain SCM data, because its visibility is limited to the owner or something else.
I work with Tomi. I want to provide the following context to help to identify what "elevated" permission that User A has. We need set up User B to be able to do run the same automation using OSLC API calls.
|
<o:p> </o:p> |
User A <o:p> </o:p> |
User B <o:p> </o:p> |
|
Member of the project <o:p> </o:p> |
No <o:p> </o:p> |
Yes <o:p> </o:p> |
|
Admin of the project <o:p> </o:p> |
No <o:p> </o:p> |
Yes <o:p> </o:p> |
|
Access via web <o:p> </o:p> |
Yes <o:p> </o:p> |
Yes <o:p> </o:p> |
|
OSLC API Calls <o:p> </o:p> |
No issue <o:p> </o:p> |
Permission error <o:p> </o:p> |
Comments
So far, the OP has not provided any specifics of the API request being made, such as URI, headers, request body, or the response including headers and body.
Also remember that for REST requests, the authenticated user is what drives both read access and process permissions.
TOMI MOOLAN SOURUi please provide API call that threw the exception, the error code and message
- Provide complete call, with methods and headers, provide detailed error message, return codes, headers and response body
- Provide which project area owns the work item
- Provide the access control of the project area.
- Is read access by category configured? Provide access context in this case and membership of users in the access context
- Provide the filed against process area.
- Provide the Repository Permissions for both of the users.
- Provide complete call, with methods and headers, provide detailed error message, return codes, headers and response body <o:p> </o:p>
We make call to the following URL <o:p> </o:p>
Code Snippet <o:p> </o:p>
baselinesURL="https://rqm-qm-tpd.gm.com:9443/qm/oslc_config/resources/com.ibm.team.vvc.Configuration"; <o:p> </o:p>
catalogUrl = UriBuilder.fromUri(baselinesURL).build(); <o:p> </o:p>
Resource resource = oslcRestClient1.getRestClient().resource(catalogUrl) <o:p> </o:p>
.accept(OslcMediaType.APPLICATION_RDF_XML); <o:p> </o:p>
ClientResponse baselineResponse = oslcRestClient1.httpAuthorizedGet(resource); <o:p> </o:p>
Response for Project Admin Users <o:p> </o:p>
<oslc:Error ns13:type="oslc:Error" rdf:about="https://rqm-qm-tpd.gm.com:9443/qm/oslc_config/resources/com.ibm.team.vvc.Configuration" xmlns:ns13="http://www.w3.org/2001/XMLSchema-instance"> <o:p> </o:p>
<oslc:statusCode>403</oslc:statusCode> <o:p> </o:p>
<oslc:message>CRJAZ1316E The user "WZWJGD" does not have permission to read item "_y0_Fcio6EeSuga98NCVxjQ", which has the "ProjectArea" item type.</oslc:message> <o:p> </o:p>
<rqm_qm:clientLocale>en-us</rqm_qm:clientLocale> <o:p> </o:p>
</oslc:Error> <o:p> </o:p>
- Provide which project area owns the work item <o:p> </o:p>
https://rqm-qm-tpd.gm.com:9443/qm/admin#action=com.ibm.team.process.editProjectArea&itemId=_y0_Fcio6EeSuga98NCVxjQ <o:p> </o:p>
- Provide the access control of the project area. <o:p> </o:p>
Process Sharing <o:p> </o:p>
Specify how to share the process configuration between project areas: <o:p> </o:p>
<input checked="" dojoattachpoint="enterpriseProcessNotUsedButton" name="enterpriseProcessType" style="font-family: inherit; font-size: 1em; margin: 1px 5px 3px 0.5em; padding: 0px; vertical-align: middle;" type="radio">
<label>
</label>
Do not share the process configuration of this project area
<input dojoattachpoint="enterpriseProcessIsButton" name="enterpriseProcessType" style="font-family: inherit; font-size: 1em; margin: 1px 5px 3px 0.5em; padding: 0px; vertical-align: middle;" type="radio">
<label>
</label>
Allow other project areas to use the process configuration from this project area
<input dojoattachpoint="enterpriseProcessUsesButton" name="enterpriseProcessType" style="font-family: inherit; font-size: 1em; margin: 1px 5px 3px 0.5em; padding: 0px; vertical-align: middle;" type="radio">
<label>
</label>
Use the process configuration from another project area for this project area
<o:p>
</o:p>
Add... <o:p> </o:p>
Members <o:p> </o:p>
Roles grant users permissions and determine the preconditions and follow-up actions that run. Roles assigned here are inherited in all team areas within this project area. All users in the repository have the Everyone role whether they are a member or not. <o:p> </o:p>
Members Per Page: <select style="font-family: inherit; font-size: 1em; margin-left: 10px; margin-top: 0px; padding: 1px; width: auto;"> <option value="5"> 5 </option> <option value="25"> 25 </option> <option value="50"> 50 </option> <option value="75"> 75 </option> <option value="100"> 100 </option> <option value="250"> 250 </option> </select> <o:p> </o:p>
4. Previous0 - 0 of 0Next <o:p> </o:p>
No members selected <o:p> </o:p>
<input aria-label="Search text" autocomplete="off" dojoattachevent="onfocus: _focus, onblur: _blur, onkeyup: _keyup, onpaste: _copyPaste, oncut: _copyPaste, oninput: _keyup" dojoattachpoint="_box" name="filter-box" style="border-color: initial; border-style: none; border-width: 0px; font-family: inherit; font-size: 1em; margin: 0px; min-height: 15px; outline: none; padding: 0px;" type="text"> <o:p> </o:p>
|
|
Name <o:p> </o:p> |
Process Roles <o:p> </o:p> |
Add... <o:p> </o:p>
Administrators <o:p> </o:p>
If you require permissions, contact an administrator. Project administrators can modify and save this project area and its team areas. <o:p> </o:p>
<input aria-label="Search text" autocomplete="off" dojoattachevent="onfocus: _focus, onblur: _blur, onkeyup: _keyup, onpaste: _copyPaste, oncut: _copyPaste, oninput: _keyup" dojoattachpoint="_box" name="filter-box" style="border-color: initial; border-style: none; border-width: 0px; font-family: inherit; font-size: 1em; margin: 0px; min-height: 15px; outline: none; padding: 0px;" type="text"> <o:p> </o:p>
|
|
Name <o:p> </o:p> |
E-mail <o:p> </o:p> |
Add... <o:p> </o:p>
Associations <o:p> </o:p>
- Is read access by category configured? Provide access context in this case and membership of users in the access context <o:p> </o:p>
- Provide the filed against process area. <o:p> </o:p>
- Provide the Repository Permissions for both of the users. <o:p> </o:p>
Will not fit a comment, so as an answer.
CRJAZ1316E The user "WZWJGD" does not have permission to read item "_y0_Fcio6EeSuga98NCVxjQ", which has the "ProjectArea" item type.
indicates that the server considers that the user "WZWJGD" does not have read access to the project area with the UUID "_y0_Fcio6EeSuga98NCVxjQ". To identify the project area open a project area administration editor e.g. https://elm.example.com:3443/ccm/admin#action=com.ibm.team.process.editProjectArea&itemId=_3Y9RoNqLEe2g2qpoLvIiXA . Now replace the UUID with the one above and refresh. You can also just open each project area in administration until you find the one with the UUID.
For the project area open Access Control
For both users if Access Control is one of the settings "Members of...." open the Overview tab and make sure that both users are a member of the project area. Being in the Admins group should work as well, but I would suggest you make sure both are in the Members group. The membership of the Admin group in the project area only contributes to being part of the project area hierarchy but does not elevate you in any case.
If Access Control is based on access groups make sure the users are in the selected access control group.
Check if the Access control shows in the work item editor Title section.
Comments
TOMI MOOLAN SOURU
May 22 '23, 2:13 p.m.We are trying to pull all the streams and user IDs by using the rest API https://<server-name./qm/oslc_config/resources/com.ibm.team.vvc.Configuration
David Honey
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER May 22 '23, 2:14 p.m.Has the user who as project area admin been added as a member of that project area?
If not, that's probably the reason.