Expand my Community achievements bar.

SOLVED

Attribute-based Access Control API Access

Avatar

Level 2

I'm trying to use the ABAC API's to create a report of all the Roles and permissions for a client, but I can't figure out what I need to do in order to give my API credential access.

  • I as a user, am an AEP Product Admin and manage Permissions thru the UI on a regular basis
  • I am a developer for AEP
  • I created an API Project and put my technical account ID in the same ABAC Role as my user

https://experienceleague.adobe.com/docs/experience-platform/access-control/abac/abac-api/roles.html?...

 

When I try to do a get on the /roles endpoint, I get a 403-forbidden with this response:

 

{
    "type": "http://ns.adobe.com/aep/errors/ACL-4031-403",
    "title": "“A role is required to perform this operation. Define one of the following roles and try again:org_admin,product_admin.”",
    "status": 403,
    "report": {
        "tenantInfo": {
            "sandboxName": "removed",
            "sandboxId": "N/A",
            "imsOrgId": "removed"
        },
        "additionalContext": {
            "request-id": "removed"
        }
    },
    "error-chain": [
        {
            "serviceId": "Access Control Service",
            "errorCode": "ACL-4031-403",
            "invokingServiceId": "N/A",
            "unixTimeStampMs": 1683141663172
        }
    ]
}

 

 

Does anyone know what I need to do here? Do I need to add my technical account ID as a product admin somehow? The documentation has a note "If a user token is being passed, then the user of the token must have an “org admin” role for the requested org." I'm not really clear on what that means though. Any help is appreciated!

 

1 Accepted Solution

Avatar

Correct answer by
Level 2

For those that come across this in the future, the answer to this is that you need to add your Technical Account Email ID associated with your developer project as a Product Admin (or Org Admin) via the Admin Console. I ended up going through Adobe support and their product engineering team pointed me in the right direction.

 

The other option, is if you as a user are an Org Admin, you can use your bearer token. I tested this by grabbing my bearer token from a network call to the UI.

View solution in original post

3 Replies

Avatar

Community Advisor

Hello @derekselby 

 

You should be a system administrator to access this endpoint.

 

More details on the Admin role are available here: Administrative roles (adobe.com)


     Manoj
     Find me on LinkedIn

Avatar

Correct answer by
Level 2

For those that come across this in the future, the answer to this is that you need to add your Technical Account Email ID associated with your developer project as a Product Admin (or Org Admin) via the Admin Console. I ended up going through Adobe support and their product engineering team pointed me in the right direction.

 

The other option, is if you as a user are an Org Admin, you can use your bearer token. I tested this by grabbing my bearer token from a network call to the UI.