AnsweredAssumed Answered

SDM 14.1 REST API - Delete access_key

Question asked by jmayer

on Oct 23, 2017
Latest reply on Nov 17, 2017 by AbhishekDanej

Like • Show 1 Like1
Comment • 19

Hello everyone,

After some time in this community, I asking my first question.

This may eventually finish as a support case but was wondering if any have encountered the same before and get around of it.

I moving more and more previous SOAP integration to use REST but problem is that I always receive a:

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Date: Mon, 23 Oct 2017 07:56:35 GMT
Content-Type: application/xml
Content-Length: 71

This operation requires Function Access for 'admin' equal to 'Modify'.

when I try to delete a existing valid access_key what ever level permissions the user calling the rest API have and of course the key remain valid until expiration.

My test scenario is using SOAPUI and basic authentication (with full admin access type) to get the access key and just call a new operation to delete right after:

Note that I have the same error when trying to use PUT to modify the expiration date.

Must not be the fist one encountering this issue so looking forward for your input.

Anthony_L

Oct 23, 2017 1:34 PM

Correct Answer

Hi Jerome,

I understand this is confusing but, the access key is not actually the id of the row. In this situation the id of the row is:

405339

You can see this on the first line of the login response. When you use that as the id and the access key as the X-AccessKey you should be able to delete it and it should respond with a 204. Please let me know if that works for you. Also notice if you call it again after 204 it returns 500 which you will see in the logs you have an invalid X-AccessKey.

See the reply in context

No one else had this question

Outcomes

19 Replies

Brian_Mathato Oct 23, 2017 11:38 AM
Mark Correct
Correct Answer
Hi Jerome,

Have a look at what is documented here:

REST HTTP Methods - CA Service Management - 17.0 - CA Technologies Documentation

Somewhere they talk about 'REST_OPERATIONS' which determines what operations can be performed on objects.

Perhaps this can lead you in a positive direction?

===
Kind Regards,
Brian
Like • Show 1 Like1
Actions
- jmayer @ Brian_Mathato on Oct 23, 2017 5:01 PM
  Mark Correct
  Correct Answer
  Thanks Brian, and yes I have read the doc
  rest_access resource
  The rest_access resource contains REST API access information for the authenticated users. It is an administrative table and contains the list of users allowed through the REST API.
  The following list shows the deviations from the default behavior:
  POST
  Creates a REST access object and returns access key, secret key and expiration date as part of default values.
  GET
  Retrieves REST access information (except for secret key).
  DELETE
  Deletes the REST access object.
  PUT
  Does not allow updates to secret_key, access_key, and contact due to the Majic WRITE_NEW property.
  
  ---------
  
  This REST API example demonstrates how to delete a CA SDM access key.
  The following example shows the request:
  DELETE /caisd-rest/rest_access/1201703106 HTTP/1.1 Host: hostname
  
  The following example shows the response:
  HTTP/1.1 204 No Content Content-Type: application/xml;charset=UTF-8 Content-Length: 0
  I do also have verify with bop_sinfo that the REST OPERATION was available there
  Thanks
  /J
  Like • Show 0 Likes0
  Actions
Anthony_L Oct 23, 2017 1:34 PM
Unmark Correct
Correct Answer
Hi Jerome,

I understand this is confusing but, the access key is not actually the id of the row. In this situation the id of the row is:

405339

You can see this on the first line of the login response. When you use that as the id and the access key as the X-AccessKey you should be able to delete it and it should respond with a 204. Please let me know if that works for you. Also notice if you call it again after 204 it returns 500 which you will see in the logs you have an invalid X-AccessKey.
4 people found this helpful
Like • Show 4 Likes4
Actions
- jmayer @ Anthony_L on Oct 23, 2017 4:55 PM
  Mark Correct
  Correct Answer
  Hi Antony and thanks for your reply.
  
  Fully agree that this is confusing specially when the documentation show an access_key in the example as you can review there: https://docops.ca.com/ca-service-management/17-0/en/reference/ca-service-desk-manager-reference-commands/technical-reference/rest-http-methods#RESTHTTPMethods-ExampleDeleteanAccessKey
  
  That say using the id was my first thought too to test after the access_key itself was failing however this is not the problem as I get exactly the same error when using the id or at less the error code is misleading.
  Note that as mentioned a PUT operation to update the expiration_date give the same error and I have no problem with any other objects.
  
  /J
  Like • Show 0 Likes0
  Actions
  - Anthony_L @ jmayer on Oct 23, 2017 6:11 PM
    Mark Correct
    Correct Answer
    I am matching your headers the best I can but, I can't see what the full Content-Type is.
    
    Edit: Nevermind I'm probably unable to reproduce it due to my Function Access having 'Modify'. Let me check.
    
    Edit2: I am unable to reproduce it. What version of SDM are you using including patch level?
    Like • Show 0 Likes0
    Actions
    - jmayer @ Anthony_L on Oct 23, 2017 6:24 PM
      Mark Correct
      Correct Answer
      Hi,
      I do also have modify to all avaiable functional access either if none relate directly to REST.
      Test was on 14.1 CP4
      Will try on a 12.9 and 17 when back to office to see if can reproduce there too
      /J
      Like • Show 0 Likes0
      Actions
      - Anthony_L @ jmayer on Oct 23, 2017 8:59 PM
        Mark Correct
        Correct Answer
        I have been testing on Rollup #1 and seems to work. Any chance you would be able to upgrade to Rollup #1?
        Like • Show 0 Likes0
        Actions
  - Raghu.Rudraraju @ jmayer on Oct 23, 2017 9:22 PM
    Mark Correct
    Correct Answer
    Hey Jerome,
    
    Are you saying that in 14.1.04 you have Function Access Administration set to Modify for the REST API Role being used by an access type that you are testing, and its still giving you the permissions error?
    
    Here's my testing so far with 14.1.04 ->
    ServiceDesk account had Admin access type with REST API Role to Administrator role.
    
    POST /caisd-rest/rest_access HTTP/1.1
    Authorization: Basic c2VydmljZWRlc2s6aW50ZXJPUEAxMjM=
    Content-Type: application/xml
    Cache-Control: no-cache
    <rest_access></rest_access>
    
    Response:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <rest_access id="400653" REL_ATTR="400653" COMMON_NAME="433957245">
    <link href="https://******:58553/caisd-rest/rest_access/400653" rel="self"/>
    <access_key>433957245</access_key>
    <expiration_date>1509397874</expiration_date>
    </rest_access>
    
    I could delete that fine
    
    DELETE /caisd-rest/rest_access/400653 HTTP/1.1
    X-AccessKey: 433957245
    Content-Type: application/xml
    Cache-Control: no-cache
    <rest_access>
    </rest_access>
    
    No problems there.
    
    I made the REST API role for admin access type to L1 Analyst. Repeated the above (with new X-AccessKey / rest_access id of course) and I get the behavior you mentioned:
    
    10/23 17:11:30.552 [http-bio-58553-exec-10] ERROR SDMCRUDServiceImpl 788 This operation requires Function Access for 'admin' equal to 'Modify'.
    
    I changed the function access Admin to modify on the L1 Analyst Role and the error disappeared and I'm able to delete the rest_access keys now.
    
    I'm wondering if there's some data partitions or some custom roles that are causing this side impact for you...
    
    _R
    2 people found this helpful
    Like • Show 0 Likes0
    Actions
    - jmayer @ Raghu.Rudraraju on Oct 24, 2017 10:12 AM
      Mark Correct
      Correct Answer
      Hi Ragu yes this is correct
      The user doing the rest call have full admin access type and corresponding modify on the admin functional access but I get the error.
      I did try the same on production instance this morning and I have no problem to delete the key there so trying to identify the difference between the two now.
      
      response:
      Date Tue, 24 Oct 2017 10:06:54 GMT
      #status# HTTP/1.1 204 No Content
      Server
      Apache-Coyote/1.
      Like • Show 0 Likes0
      Actions
    - Anthony_L @ Raghu.Rudraraju on Oct 24, 2017 1:29 PM
      Mark Correct
      Correct Answer
      Hi Raghu,
      
      Interestingly in Rollup#1 even with the Employee role I am able to delete my rest_access with admin set to None which I would expect since anyone should be able to log themselves out. Which brings me to an interesting question what if I was to try and log someone else out even though I had admin set to none and as expected it can't log them out. To add to this I tried again with Admin set to Modify and I was able to log out other users. To me this is how I expect it to work. So if what you are seeing in CUM#4 is actually true and you can't log yourself out without Modify for admin it looks like something was changed in Rollup#1.
      Like • Show 0 Likes0
      Actions
      - Brian_Mathato @ Anthony_L on Oct 24, 2017 1:34 PM
        Mark Correct
        Correct Answer
        Interesting...
        Like • Show 0 Likes0
        Actions
      - Raghu.Rudraraju @ Anthony_L on Oct 24, 2017 5:13 PM
        Mark Correct
        Correct Answer
        yea you're right.... looks like Employee access type works, but when you go to Analyst, it expects something else.
        
        Seems a bit odd.
        
        _R
        Like • Show 0 Likes0
        Actions
jmayer Oct 26, 2017 12:41 PM
Mark Correct
Correct Answer
Finally make it to work and this was my bad on different access type between dev and prod..
Thanks everyone for you time there anyway.
/J
1 person found this helpful
Like • Show 1 Like1
Actions
- AbhishekDanej @ jmayer on Nov 15, 2017 9:40 AM
  Mark Correct
  Correct Answer
  Hi Jerome, just saw this post and learnt that you are moving your integrations from SOAP to REST. Great news for me i suppose . I'm running 14.1. CU 3 on Windows R2 2012
  
  Have you done any integration to add activity log in an Incident or Request ticket? I tried it, but not sure how the XML would be formed. The sample code has example only for Change.
  GET on /caisd-rest/chgalg
  PAYLOAD:
  "<chgalg>" +
  "<type REL_ATTR=\"LOG\"/>" +
  "<change_id REL_ATTR=\"400001\"/>" +
  "<description>Activity Log created from REST API Java Samples code</description>" +
  "</chgalg>"
  
  Raghu.Rudraraju - you inputs would help too.
  
  Thanks!
  Abhishek
  1 person found this helpful
  Like • Show 0 Likes0
  Actions
  - Brian_Mathato @ AbhishekDanej on Nov 15, 2017 9:45 AM
    Mark Correct
    Correct Answer
    Hi Abhishek,
    
    Try the below
    
    GET on /caisd-rest/alg
    PAYLOAD:
    "<alg>" +
    "<type REL_ATTR=\"LOG\"/>" +
    "<change_id REL_ATTR=\"400001\"/>" +
    "<description>Activity Log created from REST API Java Samples code</description>" +
    "</alg>"
    
    Hope this helps?
    
    ===
    Kind Regards,
    Brian
    1 person found this helpful
    Like • Show 1 Like1
    Actions
    - AbhishekDanej @ Brian_Mathato on Nov 15, 2017 9:51 AM
      Mark Correct
      Correct Answer
      Thanks .. so no change in the ["<change_id REL_ATTR=\"400001\"/>"] change_id tag for Incident or Request?
      Like • Show 0 Likes0
      Actions
      - jmayer @ AbhishekDanej on Nov 15, 2017 10:04 AM
        Mark Correct
        Correct Answer
        see the body example below:
        
        $data ='<alg>';
          $data .='<analyst COMMON_NAME="'.$customer.'"/>';
          $data .='<call_req_id REL_ATTR="'.$cr_persid.'"/>';
          $data .='<type REL_ATTR="'.$log_type.'"/>';
          $data .='<description>'.$description.'</description>';
          $data .='</alg>';
        Not a java example but give you the way
        Hope this help
        /J
        2 people found this helpful
        Like • Show 2 Likes2
        Actions
        AbhishekDanej @ jmayer on Nov 15, 2017 10:07 AM
        Mark Correct
        Correct Answer
        Cool thanks.. I'll try this asap and revert! I was missing the call_req_id tag.
        
        GET on /caisd-rest/alg
        PAYLOAD:
        $data ='<alg>';
          $data .='<analyst COMMON_NAME="'.$customer.'"/>';
          $data .='<call_req_id REL_ATTR="'.$cr_persid.'"/>';
          $data .='<type REL_ATTR="'.$log_type.'"/>';
          $data .='<description>'.$description.'</description>';
          $data .='</alg>';
        Like • Show 0 Likes0
        Actions
        AbhishekDanej @ jmayer on Nov 17, 2017 8:14 AM
        Mark Correct
        Correct Answer
        It is working now, thanks Jerome and Brian! Also tested that analyst is not mandatory. If not passed, system will take the user using which rest access key was generated!
        Like • Show 1 Like1
        Actions

SDM 14.1 REST API - Delete access_key

Outcomes

rest_access resource

Related Content

Recommended Content

Date	Tue, 24 Oct 2017 10:06:54 GMT
#status#	HTTP/1.1 204 No Content
Server	Apache-Coyote/1.