cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP CALM API returns forbidden / 403 (in postman)

Go to solution
friscas
Explorer

4 weeks ago - last edited 4 weeks ago

0 Kudos
251

Hi everyone, 

I am testing or calm API instance service on postman, but I sadly get a 403 after successfully fetching the correct access_token

.

When creating the service, I have also added the correct scopes like described here: https://help.sap.com/docs/cloud-alm/apis/managing-scopes

What I do in postman:

  1. Fetch auth token from the API auth given by the service key (...authentication.eu20.hana.ondemand.com/oauth/token)
  2. copy access_token from the successful response and add it as a Bearer token and hit request to https://{region}.alm.cloud.sap/api/calm-projects/v1/projects
  3. response is forbidden with status code 403

I would really appreciate your help, thank you.

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
john_p_grimes
Product and Topic Expert
Product and Topic Expert
4 weeks ago
0 Kudos

Hi Friscas,

When you submit the API request to generate the token, you should receive some JSON in the response. The JSON includes the token, but also a "scopes" attribute with a list of assigned scopes. What values are in that list?

Thanks and regards,
John

friscas
Explorer
4 weeks ago
0 Kudos
Hi @john_p_grimes, yeah i checked field scopes in the response and its missing all the calm-api one like calm-api.projects.read i forgot to add that i the post, do you know what the cause might be? thx
View Entire Topic
john_p_grimes
Product and Topic Expert
Product and Topic Expert
4 weeks ago
0 Kudos

Hi  friscas,

If your authentication response JSON is missing Scope data, it usually means one of two things:

  • The Scopes have not been added to the SAP Cloud ALM API Service Instance.
  • The Scopes have been added to the Service Key/Binding (the "child") instead of the SAP Cloud ALM API Service Instance (the "parent"). 

I suspect that you have taken the latter path, and updated the child Service Key/Binding instead of the parent SAP Cloud ALM API Instance. You mentioned that you added the correct scopes already as per the Managing Scopes guide. That guide also states that the scopes must be added to the Service Instance.

Please try updating the SAP Cloud ALM API Service Instance (and not the child Service Key/Binding) in the SAP Cloud ALM API with the correct scopes. Once you have done that, re-test if the authentication response JSON contains the expected Scope values. If they are contained in the JSON, then you can try continuing with the API tests via Postman.

Thanks and regards, 
John 

Show replies
Show replies
friscas
Explorer
4 weeks ago
0 Kudos

Hey John,

thank you again for the fast response, and no, I did not add the scopes to the Service Key but directly to the service during creation in the second step.

Here is what i did:

  1. Create Service instance named calmapi
  2. on the wizard of the instance creation i went to the second step and added the JSON as per the Managing Scopes guide with xsappname: "calmapi"
  3. after the service instance is created i than generated my service key

thx

john_p_grimes
Product and Topic Expert
Product and Topic Expert
3 weeks ago
0 Kudos
Hi Friscas, Please provide the plain text of the JSON you used to update the Service Instance with, so I can verify it is complete.
friscas
Explorer
3 weeks ago
0 Kudos
Hi @john_p_grimes, { "xs-security": { "xsappname": "calmapi", "authorities": [ "$XSMASTERAPPNAME.calm-api.analytics.providers.read", "$XSMASTERAPPNAME.calm-api.analytics.read", "$XSMASTERAPPNAME.calm-api.bm.read", "$XSMASTERAPPNAME.calm-api.bsm.read", "$XSMASTERAPPNAME.calm-api.bsm.write", "$XSMASTERAPPNAME.calm-api.csa.read", "$XSMASTERAPPNAME.calm-api.defects.read", "$XSMASTERAPPNAME.calm-api.demo-tasks.read", "$XSMASTERAPPNAME.calm-api.documents.read", "$XSMASTERAPPNAME.calm-api.documents.write", "$XSMASTERAPPNAME.calm-api.event-situations.write", "$XSMASTERAPPNAME.calm-api.exm.personal.read", "$XSMASTERAPPNAME.calm-api.exm.read", "$XSMASTERAPPNAME.calm-api.exm.write", "$XSMASTERAPPNAME.calm-api.feature.personal.read", "$XSMASTERAPPNAME.calm-api.feature.read", "$XSMASTERAPPNAME.calm-api.hm.read", "$XSMASTERAPPNAME.calm-api.hm.write", "$XSMASTERAPPNAME.calm-api.iep.read", "$XSMASTERAPPNAME.calm-api.integration-monitoring.personal.read", "$XSMASTERAPPNAME.calm-api.integration-monitoring.read", "$XSMASTERAPPNAME.calm-api.integration-monitoring.write", "$XSMASTERAPPNAME.calm-api.jobs.read", "$XSMASTERAPPNAME.calm-api.landscape.read", "$XSMASTERAPPNAME.calm-api.logs.read", "$XSMASTERAPPNAME.calm-api.logs.write", "$XSMASTERAPPNAME.calm-api.metrics.read", "$XSMASTERAPPNAME.calm-api.metrics.write", "$XSMASTERAPPNAME.calm-api.processauthoring.delete", "$XSMASTERAPPNAME.calm-api.processauthoring.read", "$XSMASTERAPPNAME.calm-api.processauthoring.write", "$XSMASTERAPPNAME.calm-api.processmanagement.delete", "$XSMASTERAPPNAME.calm-api.processmanagement.read", "$XSMASTERAPPNAME.calm-api.processmanagement.write", "$XSMASTERAPPNAME.calm-api.projects.read", "$XSMASTERAPPNAME.calm-api.projects.write", "$XSMASTERAPPNAME.calm-api.requirements.read", "$XSMASTERAPPNAME.calm-api.rum.read", "$XSMASTERAPPNAME.calm-api.rum.write", "$XSMASTERAPPNAME.calm-api.sum.read", "$XSMASTERAPPNAME.calm-api.sum.write", "$XSMASTERAPPNAME.calm-api.tasks.read", "$XSMASTERAPPNAME.calm-api.tasks.write", "$XSMASTERAPPNAME.calm-api.tests.personal.read", "$XSMASTERAPPNAME.calm-api.tests.read", "$XSMASTERAPPNAME.calm-api.traces.read", "$XSMASTERAPPNAME.calm-api.traces.write" ], "oauth2-configuration": { "credential-types": [ "binding-secret" ] } } }
john_p_grimes
Product and Topic Expert
Product and Topic Expert
3 weeks ago
0 Kudos

Hi Friscas,

Are you running a "POST" or a "GET" request using the projects API (https://{region}.alm.cloud.sap/api/calm-projects/v1/projects)?

If you are using a "POST" request, are you providing the necessary JSON body with the details of the new project? If I run a "POST" request but don't provide JSON body with the details of my new project, I get the same 403 error message.

Thanks and regards, 
John

friscas
Explorer
3 weeks ago
0 Kudos
I was doing a GET request, i want to list the projects.
john_p_grimes
Product and Topic Expert
Product and Topic Expert
3 weeks ago
0 Kudos

Hi Friscas,

You should be able to query that API based on the scopes assigned. Have you tried to use the other SAP Cloud ALM APIs? For example, I see that the scopes include the landscape permissions (calm-api.landscape.read). What happens if you try to run the "GET" method on the "/landscapeObjects" endpoint for the Landscape API?

Thanks and regards, 
John

friscas
Explorer
3 weeks ago
0 Kudos
i tried others like tasks and now also landscapeObjects yet still 403, the reason i added all of those like in the guide is to test multiple apis, i tried by settings scopes required for single APIs but nothing, still get 403. I a meeting setup tomorrow with an expert from SAP to look at this issue together, once solved it i will post a solution here. thank you a lot for your time john
Ask a Question