Skip to Content
4

access uaa REST API / assign uaa.admin to an user

May 14 at 01:54 PM

154

avatar image

heee there,

in our current project we want to get user information (like firstname, email,...) out of the uaa and show/edit it in our app. According to the cloudfoundry uaa API reference (http://docs.cloudfoundry.org/api/uaa/version/4.12.0/#users) this can be done by calling the uaa resource /Users.

In the first step I got myself an OAuth 2.0 token with my HANA user account to attach it to every request. With this token I was able to call /uaa-security/userinfo to get my own user info. But if I call /Users I'll get the following error:

{ "error": "insufficient_scope", "error_description": "Insufficient scope for this resource", "scope": "uaa.admin scim.read zones.uaa.admin" }

My question is: how and where can I add an user with this privilege or add this role to an existing user?


Thank you in advanced.


Cheers,

Frank


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Thomas Jung
May 14 at 08:04 PM
1

I've got an example here that calls the controller and UAA APIs:

https://blogs.sap.com/2018/04/23/sap-hana-xsa-controller-api-interaction/

Check out the corresponding github repo. I do call to get User details:

https://github.com/I809764/controllerAPI/blob/master/node/router/routes/users.js

Although if you only need details of the logged in user, you can find that in req.authInfo if you are using express and passport as middleware.

Show 4 Share
10 |10000 characters needed characters left characters exceeded

Hello Thomas,

thank you very much for your response. Actually I already found your blog post before asking this question and can definitely use it after solving the privilige issue.

Unfortunately my HANA user account has not the needed roles/rights to do this API calls. I always get a 403 as a response.

Where did you get an allowed user from or where did you assign your user the needed role?

Thank you in advanced.

Cheers,

Frank

0

Just a XSA business user won't be authorized enough to call the controller or UAA apis. Just like they wouldn't be able to use the XS client. Depending on the API call, you might need XS_CONTROLLER_ADMIN or XS_USER_ADMIN. When I wrote the blog, my user has pretty broad admin level access:

Depending upon the API (especially the controller ones), you have to consider the organization and space level roles as well:

userrights.png (261.0 kB)
spaceroles.png (112.7 kB)
1

Thank you so much, it finally worked out. It turned out that I had to use a different app (different xs-security.json) as source of clientid and clientsecret to get an OAuth token which is allowed to do this API calls.

Basically this question is solved, thanks again for your effort. Maybe you got some time left for me :-)

Right now I am trying to explore the API while using this documentation (http://apidocs.cloudfoundry.org/1.27.0/).

Our goal is to get the following properties of an user: firstname, lastname and email. Furthermore we want to edit those fields. Do you have a hint for me?

v2/users works but won't show those properties.

v2/users/guid works and shows a single result.

v2/users/guid/summary doesn't work.

v2/organizations works

v2/organizations/guid works

v2/organizations/guid/users doesn't work.

0
0