cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

access uaa REST API / assign uaa.admin to an user

Go to solution
former_member558421
Explorer

on ‎05-14-2018 2:54 PM

heee there,

in our current project we want to get user information (like firstname, email,...) out of the uaa and show/edit it in our app. According to the cloudfoundry uaa API reference (http://docs.cloudfoundry.org/api/uaa/version/4.12.0/#users) this can be done by calling the uaa resource /Users.

In the first step I got myself an OAuth 2.0 token with my HANA user account to attach it to every request. With this token I was able to call /uaa-security/userinfo to get my own user info. But if I call /Users I'll get the following error:

{ "error": "insufficient_scope", "error_description": "Insufficient scope for this resource", "scope": "uaa.admin scim.read zones.uaa.admin" }

My question is: how and where can I add an user with this privilege or add this role to an existing user?


Thank you in advanced.


Cheers,

Frank


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

thomas_jung
Developer Advocate
Developer Advocate
‎05-14-2018 9:04 PM

I've got an example here that calls the controller and UAA APIs:

https://blogs.sap.com/2018/04/23/sap-hana-xsa-controller-api-interaction/

Check out the corresponding github repo. I do call to get User details:

https://github.com/I809764/controllerAPI/blob/master/node/router/routes/users.js

Although if you only need details of the logged in user, you can find that in req.authInfo if you are using express and passport as middleware.

Show replies
Show replies
former_member558421
Explorer
‎05-16-2018 6:53 AM
0 Kudos

Hello Thomas,

thank you very much for your response. Actually I already found your blog post before asking this question and can definitely use it after solving the privilige issue.

Unfortunately my HANA user account has not the needed roles/rights to do this API calls. I always get a 403 as a response.

Where did you get an allowed user from or where did you assign your user the needed role?

Thank you in advanced.

Cheers,

Frank

thomas_jung
Developer Advocate
Developer Advocate
‎05-16-2018 1:03 PM

Just a XSA business user won't be authorized enough to call the controller or UAA apis. Just like they wouldn't be able to use the XS client. Depending on the API call, you might need XS_CONTROLLER_ADMIN or XS_USER_ADMIN. When I wrote the blog, my user has pretty broad admin level access:

Depending upon the API (especially the controller ones), you have to consider the organization and space level roles as well:

former_member558421
Explorer
‎05-16-2018 3:02 PM
0 Kudos

Thank you so much, it finally worked out. It turned out that I had to use a different app (different xs-security.json) as source of clientid and clientsecret to get an OAuth token which is allowed to do this API calls.

Basically this question is solved, thanks again for your effort. Maybe you got some time left for me 🙂

Right now I am trying to explore the API while using this documentation (http://apidocs.cloudfoundry.org/1.27.0/).

Our goal is to get the following properties of an user: firstname, lastname and email. Furthermore we want to edit those fields. Do you have a hint for me?

v2/users works but won't show those properties.

v2/users/guid works and shows a single result.

v2/users/guid/summary doesn't work.

v2/organizations works

v2/organizations/guid works

v2/organizations/guid/users doesn't work.

former_member558421
Explorer
‎05-17-2018 9:11 AM
0 Kudos

I posted a new question which describes our use case:

https://answers.sap.com/questions/512470/consume-and-edit-hana-users-properties-through-an.html

Answers (0)

Ask a Question