Attribute-based Access Control API Access | Community
Skip to main content
derekselby
derekselby
Level 2
May 3, 2023
Solved

Attribute-based Access Control API Access

  • May 3, 2023
  • 2 replies
  • 1524 views

I'm trying to use the ABAC API's to create a report of all the Roles and permissions for a client, but I can't figure out what I need to do in order to give my API credential access.

  • I as a user, am an AEP Product Admin and manage Permissions thru the UI on a regular basis
  • I am a developer for AEP
  • I created an API Project and put my technical account ID in the same ABAC Role as my user

https://experienceleague.adobe.com/docs/experience-platform/access-control/abac/abac-api/roles.html?lang=en

 

When I try to do a get on the /roles endpoint, I get a 403-forbidden with this response:

 

{ "type": "http://ns.adobe.com/aep/errors/ACL-4031-403", "title": "“A role is required to perform this operation. Define one of the following roles and try again:org_admin,product_admin.”", "status": 403, "report": { "tenantInfo": { "sandboxName": "removed", "sandboxId": "N/A", "imsOrgId": "removed" }, "additionalContext": { "request-id": "removed" } }, "error-chain": [ { "serviceId": "Access Control Service", "errorCode": "ACL-4031-403", "invokingServiceId": "N/A", "unixTimeStampMs": 1683141663172 } ] }

 

 

Does anyone know what I need to do here? Do I need to add my technical account ID as a product admin somehow? The documentation has a note "If a user token is being passed, then the user of the token must have an “org admin” role for the requested org." I'm not really clear on what that means though. Any help is appreciated!

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by derekselby

For those that come across this in the future, the answer to this is that you need to add your Technical Account Email ID associated with your developer project as a Product Admin (or Org Admin) via the Admin Console. I ended up going through Adobe support and their product engineering team pointed me in the right direction.

 

The other option, is if you as a user are an Org Admin, you can use your bearer token. I tested this by grabbing my bearer token from a network call to the UI.

2 replies

Manoj_Kumar
Community Advisor
Manoj_KumarCommunity Advisor
Community Advisor
May 4, 2023

Hello @derekselby 

 

You should be a system administrator to access this endpoint.

 

More details on the Admin role are available here: Administrative roles (adobe.com)

Manoj  | https://themartech.pro
derekselby
derekselbyAuthorAccepted solution
Level 2
June 5, 2023

For those that come across this in the future, the answer to this is that you need to add your Technical Account Email ID associated with your developer project as a Product Admin (or Org Admin) via the Admin Console. I ended up going through Adobe support and their product engineering team pointed me in the right direction.

 

The other option, is if you as a user are an Org Admin, you can use your bearer token. I tested this by grabbing my bearer token from a network call to the UI.

    M
    mdonke
    Level 4
    July 19, 2023

    Thank you. Very helpful!

    Terms & ConditionsAccessibility statement

    Loading footer...