Web API - Edit Project

Received a message of "You do not have permission to modify this project" when trying to update a project via the Web API.call to /TDWebApi/api/projects/{ID}

Verified that the API user has access to TDAnalysis and TDProjects.

Also verified that Security Role permissions of:

Project 
Modify Project Initial Values 

Project Portfolio
Edit All Portfolios and Programs
Manage all projects in my Portfolios and Programs 

are set. Any idea as to what is preventing me from updating the project(s)?

 

Asked by Quan Chung on Thu 1/6/22 1:47 PM
Sign In to leave feedback or contribute an answer

Answer (1)

This answer has been marked as the accepted answer
Mark Sayers Thu 1/6/22 2:45 PM

Hello Quan,

Which user are you trying to authenticate into the API with?

Also, can you provide the body of the call you're trying to make to this endpoint so we can see what the update is?

If you would feel more comfortable in the context of a support ticket rather than an open forum like this Questions page feel free to resubmit this as a ticket and we can follow up further. Or redact anything that might be sensitive, but we will need to know which fields you were trying to change the values of and we will need the full body of the call you were attempting.

Sincerely,
Mark Sayers
Sr Support Consultant, CS

1 of 1 users found this helpful.
For testing purposes, I use the web API user to pull a specific project.

I over-write the project description and then convert the project object back into JSON and pass it into another CURL as postfields along with the authentication headers.

I've also tried just passing back only the 5 required project fields along with an updated description as JSON instead of a full object.

Both give me the same "You do not have permission to modify this project". - Quan Chung Thu 1/6/22 3:06 PM
When you say the web API user, do you mean the Admin API service account which is found from the landing page of the TDAdmin interface, inside the Security tab there?

If so, that account would not be the appropriate one to use as the endpoint does not specifically call for it to be used. Instead you'd want to create a Service Account in your TDAdmin > Users & Roles > Users area and give it the necessary permissions.

Additionally, that project POST endpoint is expecting a full project API object to be passed to it. Passing only the required fields and the Description could result in data loss on your project. You might try performing a GET first to get the full project, then pass that entire response body back along with the updates you are attempting to make. - Mark Sayers Thu 1/6/22 3:26 PM
Also what are you using as the base domain of your API call URL? - Mark Sayers Thu 1/6/22 3:26 PM
Good to know that the full updated project object is needed to be returned back. At least that part in can mark as good. As far as the Domain and user see below:

At: https://tdx-test.its.msstate.edu/TDAdmin/Users/Users.aspx?

Name: Web Dev Api Service Account
Type: Service Account
Username: xxxxxx
Security Role: WebDev API Service
License Type: Enterprise - Quan Chung Thu 1/6/22 3:33 PM
And yes, I did a GET for the project before the update and POST call. - Quan Chung Thu 1/6/22 3:37 PM
Ok, since you're installed I can't peek at the user and ensure the security role settings are correct, but I'm assuming that security role has all permissions active?

and the user (in addition to Analysis and Projects/Workspaces app access) does have TDNext access too? - Mark Sayers Thu 1/6/22 4:16 PM
Yes and yes -- one of our TDX administrators looked.at the Security Role and User permission. - Quan Chung Thu 1/6/22 4:25 PM
Have you tried attempting the call after signing in to the API as a "regular" User account, one that has been added as a resource on the project in question? - Mark Sayers Thu 1/6/22 4:59 PM
We are using single sign on with CAS so a regular user does not have passwords stored in the TDX system and hence cannot generate a bearer token based on the account. Our thinking is that there are some rules based on CAS identity that are affecting access to the updating projects too (such as user has to be a manager or member of a prject), but we are not certain. - Quan Chung Tue 1/11/22 1:38 PM
The user *does* need to be a resource of some type on the project, yes, in order to modify it via API. You wouldn't want every account in TDX to be able to access a project and have edit rights if they shouldn't even be a resource on that project. - Mark Sayers Tue 1/11/22 1:45 PM
Bingo. That was the issue. I was trying to use a service account for the web API calls instead of a user account that could be added to the project as a resource. - Quan Chung Tue 1/11/22 2:27 PM