It's all about the answers!

Ask a question

OSLC API Rest permission vs Project Admin Access Permission


TOMI MOOLAN SOURU (132) | asked May 18 '23, 11:17 a.m.

 We have created an automation solution using OSLC Rest APIs. It is working fine with my ids. Unfortunately  the project admin get a response shows that user doesn't have access  to this project. Is there any separate access required for Rest APIs and front end user?


Comments
TOMI MOOLAN SOURU commented May 22 '23, 1:32 p.m. | edited May 22 '23, 2:13 p.m.

We are trying to pull all the streams and user IDs by using the rest  API https://<server-name./qm/oslc_config/resources/com.ibm.team.vvc.Configuration

It is working for some users even though they do not have access . Unfortunately the project admin is getting message unauthorized. Still not digesting the project owner who created project doesn't have access. But other do..


David Honey commented May 22 '23, 2:14 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Has the user who as project area admin been added as a member of that project area?
If not, that's probably the reason.

6 answers



permanent link
Ralph Schoon (63.1k33645) | answered May 26 '23, 5:31 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited May 26 '23, 5:35 a.m.

Will not fit a comment, so as an answer. 


When asking for the method and headers, we need the URL and the headers and the method (e.g. GET), we do not need and do not necessarily understand the Java code.  The return code and message is important.

The error statusCode 403

        CRJAZ1316E The user "WZWJGD" does not have permission to read item "_y0_Fcio6EeSuga98NCVxjQ", which has the "ProjectArea" item type.

indicates that the server considers that the user "WZWJGD" does not have read access to the project area with the UUID "_y0_Fcio6EeSuga98NCVxjQ". To identify the project area open a project area administration editor e.g. https://elm.example.com:3443/ccm/admin#action=com.ibm.team.process.editProjectArea&itemId=_3Y9RoNqLEe2g2qpoLvIiXA . Now replace the UUID with the one above and refresh. You can also just open each project area in administration until you find the one with the UUID.

For the project area open Access Control

 

What is the setting here?

For the two involved users, what is the Repository Permission? See User Administration>user id>Repository Permissions is in the top right. Only relevant are JazzAdmins, Jazz Guests, Jazz Users. JazzProjectAdmins is irrelevant. JazzAdmins can see any work item, regardless the access control settings.

For both users if Access Control is one of the settings "Members of...." open the Overview tab and make sure that both users are a member of the project area. Being in the Admins group should work as well, but I would suggest you make sure both are in the Members group. The membership of the Admin group in the project area only contributes to being part of the project area hierarchy but does not elevate you in any case. 

If Access Control is based on access groups make sure the users are in the selected access control group.

Check visibility and make sure that access control is not customized. No checks in this column:


Check if the Access control shows in the work item editor Title section. 

If you do not find anything suspicious in the data above, open a case with support.




permanent link
TOMI MOOLAN SOURU (132) | answered May 25 '23, 9:58 a.m.

 

  1. Provide complete call, with methods and headers, provide detailed error message, return codes, headers and response body <o:p> </o:p>

 

We make call to the following URL <o:p> </o:p>

Code Snippet <o:p> </o:p>

baselinesURL="https://rqm-qm-tpd.gm.com:9443/qm/oslc_config/resources/com.ibm.team.vvc.Configuration"; <o:p> </o:p>

            catalogUrl = UriBuilder.fromUri(baselinesURL).build(); <o:p> </o:p>

            Resource resource = oslcRestClient1.getRestClient().resource(catalogUrl) <o:p> </o:p>

                .accept(OslcMediaType.APPLICATION_RDF_XML); <o:p> </o:p>

            ClientResponse baselineResponse = oslcRestClient1.httpAuthorizedGet(resource); <o:p> </o:p>

 

Response for Project Admin Users <o:p> </o:p>

  <oslc:Error ns13:type="oslc:Error" rdf:about="https://rqm-qm-tpd.gm.com:9443/qm/oslc_config/resources/com.ibm.team.vvc.Configuration" xmlns:ns13="http://www.w3.org/2001/XMLSchema-instance"> <o:p> </o:p>

        <oslc:statusCode>403</oslc:statusCode> <o:p> </o:p>

        <oslc:message>CRJAZ1316E The user "WZWJGD" does not have permission to read item "_y0_Fcio6EeSuga98NCVxjQ", which has the "ProjectArea" item type.</oslc:message> <o:p> </o:p>

        <rqm_qm:clientLocale>en-us</rqm_qm:clientLocale> <o:p> </o:p>

    </oslc:Error> <o:p> </o:p>

 

  1. Provide which project area owns the work item <o:p> </o:p>

https://rqm-qm-tpd.gm.com:9443/qm/admin#action=com.ibm.team.process.editProjectArea&itemId=_y0_Fcio6EeSuga98NCVxjQ <o:p> </o:p>

 

  1. Provide the access control of the project area.  <o:p> </o:p>

Process Sharing <o:p> </o:p>

Specify how to share the process configuration between project areas: <o:p> </o:p>

<input checked="" dojoattachpoint="enterpriseProcessNotUsedButton" name="enterpriseProcessType" style="font-family: inherit; font-size: 1em; margin: 1px 5px 3px 0.5em; padding: 0px; vertical-align: middle;" type="radio"> <label> </label> Do not share the process configuration of this project area
<input dojoattachpoint="enterpriseProcessIsButton" name="enterpriseProcessType" style="font-family: inherit; font-size: 1em; margin: 1px 5px 3px 0.5em; padding: 0px; vertical-align: middle;" type="radio"> <label> </label> Allow other project areas to use the process configuration from this project area
<input dojoattachpoint="enterpriseProcessUsesButton" name="enterpriseProcessType" style="font-family: inherit; font-size: 1em; margin: 1px 5px 3px 0.5em; padding: 0px; vertical-align: middle;" type="radio"> <label> </label> Use the process configuration from another project area for this project area

<o:p> </o:p>

Add... <o:p> </o:p>

Members <o:p> </o:p>

Roles grant users permissions and determine the preconditions and follow-up actions that run. Roles assigned here are inherited in all team areas within this project area. All users in the repository have the Everyone role whether they are a member or not. <o:p> </o:p>

Members Per Page: <select style="font-family: inherit; font-size: 1em; margin-left: 10px; margin-top: 0px; padding: 1px; width: auto;"> <option value="5"> 5 </option> <option value="25"> 25 </option> <option value="50"> 50 </option> <option value="75"> 75 </option> <option value="100"> 100 </option> <option value="250"> 250 </option> </select> <o:p> </o:p>

4.      Previous0 - 0 of 0Next <o:p> </o:p>

No members selected <o:p> </o:p>

<input aria-label="Search text" autocomplete="off" dojoattachevent="onfocus: _focus, onblur: _blur, onkeyup: _keyup, onpaste: _copyPaste, oncut: _copyPaste, oninput: _keyup" dojoattachpoint="_box" name="filter-box" style="border-color: initial; border-style: none; border-width: 0px; font-family: inherit; font-size: 1em; margin: 0px; min-height: 15px; outline: none; padding: 0px;" type="text"> <o:p> </o:p>

Select <o:p> </o:p>

Name <o:p> </o:p>

Process Roles <o:p> </o:p>

Add... <o:p> </o:p>

Administrators <o:p> </o:p>

If you require permissions, contact an administrator. Project administrators can modify and save this project area and its team areas. <o:p> </o:p>

<input aria-label="Search text" autocomplete="off" dojoattachevent="onfocus: _focus, onblur: _blur, onkeyup: _keyup, onpaste: _copyPaste, oncut: _copyPaste, oninput: _keyup" dojoattachpoint="_box" name="filter-box" style="border-color: initial; border-style: none; border-width: 0px; font-family: inherit; font-size: 1em; margin: 0px; min-height: 15px; outline: none; padding: 0px;" type="text"> <o:p> </o:p>

Select <o:p> </o:p>

Name <o:p> </o:p>

E-mail <o:p> </o:p>

Add... <o:p> </o:p>

Associations <o:p> </o:p>

 

  1. Is read access by category configured? Provide access context in this case and membership of users in the access context <o:p> </o:p>
  2. Provide the filed against process area. <o:p> </o:p>
  3. Provide the Repository Permissions for both of the users. <o:p> </o:p>


Comments
Ralph Schoon commented May 26 '23, 5:08 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 The text above is totally unreadable. I think you are pasting HTML in here and I can simply not read and make sense of this. Do not paste HTML codes here.


permanent link
Mimi Kue (111) | answered May 23 '23, 12:55 p.m.
edited May 23 '23, 1:00 p.m.
I work with Tomi.  I want to provide the following context to help to identify what "elevated" permission that User A has.  We need set up User B to be able to do run the same automation using OSLC API calls.

<o:p>    </o:p>

User A <o:p> </o:p>

User B <o:p> </o:p>

Member of the project <o:p> </o:p>

No <o:p> </o:p>

Yes <o:p> </o:p>

Admin of the project <o:p> </o:p>

No <o:p> </o:p>

Yes <o:p> </o:p>

Access via web <o:p> </o:p>

Yes <o:p> </o:p>

Yes <o:p> </o:p>

OSLC API Calls <o:p> </o:p>

No issue <o:p> </o:p>

Permission error <o:p> </o:p>


Comments
David Honey commented May 23 '23, 1:11 p.m. | edited May 23 '23, 1:14 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

So far, the OP has not provided any specifics of the API request being made, such as URI, headers, request body, or the response including headers and body.
Also remember that for REST requests, the authenticated user is what drives both read access and process permissions.


Mimi Kue commented May 23 '23, 3:31 p.m.

TOMI MOOLAN SOURUi please provide API call that threw the exception, the error code and message 


Ralph Schoon commented May 24 '23, 3:01 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
  1. Provide complete call, with methods and headers, provide detailed error message, return codes, headers and response body
  2. Provide which project area owns the work item
  3. Provide the access control of the project area. 
  4. Is read access by category configured? Provide access context in this case and membership of users in the access context
  5. Provide the filed against process area.
  6. Provide the Repository Permissions for both of the users.

permanent link
Ralph Schoon (63.1k33645) | answered May 23 '23, 2:00 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited May 23 '23, 2:02 a.m.

 With respect to what a user can see and do, a lot of users have a big misconception about administrative stuff.

Please have a look at https://jazz.net/wiki/bin/view/Deployment/RTCProcessFundamentals to understand what members, roles, repository roles etc are and are not.

What you can see and can not see and what you can and can not do to data you can see is largely governed by access control, ownership and visibility. Access control is on project area level. The settings can e.g. limit read access to data to users that are members of the project area.

The repository role JazzAdmin grants the user that has it full access to any data. So the JazzAdmin can see all streams, work items etc. They also have an administrative override and can make themselves member of any project area and can configure roles and grant themselves roles.

The ProjectAreaAdmin repository role only has the administrative override capability to create and manage project areas and create and give themselves roles. Unlike the JazzAdmin repository role it does not give visibility to all data. This repository role exists so that someone can create and manage project areas without full administrative access.

So forget the repository role if you look at which user can access or see what. Unless you have the JazzAdmin repository role, you might not be able to see all data because ownership and visibility applies to you.

Also note that SCM data is accessible across project areas and has its own ownership and visibility. You might be member of a project area, but would still have no access to certain SCM data, because its visibility is limited to the owner or something else. 


permanent link
David Honey (1.8k17) | answered May 18 '23, 11:49 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
There are two separate issues:
  1. Read access to artifacts owned by a project area. These are determined by the project area permissions. For example, a common setting is to restrict access to members of the project area.
  2. Process permissions associated with roles granted to a user. These are associated with operations performed on  artifacts. In general, if you don't have read access to an artifact, you won't be able to perform any actions on it.
It sounds like you are hitting #1. Check your project area read access settings.

Comments
TOMI MOOLAN SOURU commented May 19 '23, 10:03 a.m.

The project admin who owns the project area provided access to me and I am able to run my APIs successfully. The same APIs are throwing access issues to the project project admin. Why the project area owner cannot access APIs?


Ian Barnard commented May 19 '23, 10:04 a.m. | edited May 19 '23, 10:05 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Check what the project admin's role in the project permits (compared to what your role in the project permits) that is David's point 2


David Honey commented May 19 '23, 10:37 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

A project area admin only has permission to change the project area properties. It does not, by itself, affect read access or process permissions for operations on artifacts owned by that project area.


permanent link
Ian Barnard (1.9k613) | answered May 18 '23, 11:41 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited May 18 '23, 11:46 a.m.

 The "user" for APIs must (non-optional!) have a license for the application and if not JazzAdmin/ProjectAdmin then they must have permission to access, e.g. if Access Control is set to default "Members of the Project Area hierarchy" then by being a member of the project or having Access Control set differently then that controls their access.


Their membership role will determine their permission to modify/create things.

Your answer


Register or to post your answer.