error.forbidden.noPermission
Thursday, December 16, 2021 at 02:02pmHello,
The OneSpan Role Permission under the Transaction category 'transaction.access_other_users_transactions' (Manage users’ transactions, templates, layouts (API)) is required to clone templates via the SDK or rest API.
-
Is there a reason this new permission was added?
-
Is there a way to add this permission to the existing [predefined] role permission sets?
-
As an account owner I may not add any new roles to my account nor can I add any new permissions to my existing role.
As such, the account Owner role can no longer use templates:
{
"id": "owner",
"description": "esl.account.account_role.default_role.owner.description",
"name": "esl.account.account_role.default_role.owner.name",
"predefined": true,
"enabled": true
}'Forbidden. HTTP POST on URI https://sandbox.esignlive.com/api/packages/scrubbedPackageId=/clone.'
{
"messageKey": "error.forbidden.noPermission",
"message": "The required permission was not found.",
"code": 403,
"name": "Access Denied"
}
Further, Managers and Senders are unable to create a package from a template via the SDK calling
OssClientAdapter.CreatePackageFromTemplate(templatePackage.Id, package)
However, by creating a new role and granting access to the Admin role permission set and the new Transaction category permission of 'transaction.access_other_users_transactions' I can use sub-accounts to send templates.
While this is a workaround, it has removed functionality that I would've expected to remain in tact.
Thanks,
Kevin C
Reply to: error.forbidden.noPermission
Friday, December 17, 2021 at 02:41pmHi Kevin,
Let's say you are creating a package from a template for a sender, before this permission was introduced, you will have to:
(1)Obtain the sender's API Key for this subaccount (every sender has their respective API Keys for each subaccount)
(2)Authenticate the SDK client with this particular API Key, and invoke the .CreatePackageFromTemplate() function
Given this background, this new permission has been introduced to reduce the complexity where you had to retrieve sender's API Key first. With the latest fashion, as long as the API Key holder has both "API Access" and this new permission, you can easily achieve the goal with this .NET SDK code:
OssClient client = new OssClient(apiKey, apiUrl); //Admin's API Key/Token
DocumentPackage documentPackage = PackageBuilder
.NewPackageNamed("Example Transaction")
...............
.WithSenderInfo(SenderInfoBuilder.NewSenderInfo("sender's email"))
.Build();
PackageId templateId = client.CreatePackageFromTemplate(new PackageId("nOddEwofq5E_W9AOEJtJ5d1xt4U="), documentPackage);
In terms of the Account Role management:
(1)Two permissions should be sufficient for this new role - "API Access" and "Manage users’ transactions, templates, layouts (API)"
(2)You can grant multiple roles to a sender, for example:
-"Admin" role (19 permissions)
-The customized role (2 permissions)
In which case the user will own total of 20 permissions (API Access is duplicated)
(3)I do agree that "Admin" role should automatically be added this new permission since its description is "Full access to the entire application and its configuration". If you happen to have a support ticket open, or I can help you create one, we can ask for a clarification if it's by designed.
Duo
Reply to: error.forbidden.noPermission
Tuesday, December 21, 2021 at 02:21pmHello Duo,
Regarding your points 1 and 2, that makes a lot of sense.
In testing as a subaccount, I can use a template as a Manager with "API Access" and "Manage users’ transactions, templates, layouts (API)"
In testing as the account owner, I am unable to clone a template with (visibility: ACCOUNT) that belongs to the account owner.
As such, I've opened a support request based on your third point to have the predefined Admin permissions updated to reflect the description.
Thanks!
Kevin
------------------------------------------------------------------
01/04/2022 update: Account Owner usage of shared, personally owned templates is restored.
I have a case to look into the option to update the predefined roles.
For now, we have a workaround to get an account owner updated.
Following the above suggestion by Duo Liang, sign in as the account owner or another admin, and create a new role containing "API Access" and "Manage users’ transactions, templates, layouts (API)".
Grant the following roles to a subaccount [you have access to]
Signed in as the subaccount, go to https://sandbox.esignlive.com/a/admin/users
Thanks for the help!