I have a service running that creates or updates users access.
But when the service is running now I get an error when trying to update a user. I have tried to give the service accoun all permissions that are related to update account. But still I get the same error
Allow update of user accounts on the enivronment is also enabled.
The permissions look good. However, I’m assuming that the Integration_CreateUser is a role connected to a Service Account with access to the relevant Service. in order for this to work properly you would need to create a new role with the necessary permissions and assign yourself that role. In addition to that, you would have to give that new role the permissions to act as the relevant Service Account.
Let us know if we’ve misunderstood your setup and provide us with more information. This will allow us to recreate it and help you along the way!
But, when the service runs on a schedule, this setup should not be needed? It also fails when running the service on a schedule. The error log is not visible (as far as I know), but it runs fine when I disable the update user action.
What information do you need to dig deeper?
If it runs on a schedule, the service account that triggers the schedule needs to be connected to a role with access to the service. Where this role also has access to the correct permissions regarding manipulating data.
The Service logger is available in all environments except production. If you trigger the Service manually in
https://SOLUTION-HOSTNAME/api/services/where the solution hostname is environment specific, while having
https://SOLUTION-HOSTNAME/api/services/logs open you can see a bit more on what the error is.
Let us know if this helps or if you need more help! You could also send me the details in messages if it contains sensitive data and we’ll take a look.
The service logs shows the same error , the service account has one role , with the setup shown previously in the conversation.
If you have time to take a closer look, that would be great
I would appreciate it if you could confirm that the steps below are followed and send us additional information/screenshots of
- Check off the User Account Manipulation in Environments Config
- Create a Role with correct access to the wanted environment
- Create a Service Account connected to that Role
- Give that Role access to the specific Service
- Allow that Role to “Update User in Role” and the general “Update User”
I registerede that you are running the Service Schedule in Develop environment. The global settings for Update, Create and Delete user accounts are reset every night (the settings on Environment Config) in Development. Could be related.
I can also see that this is a “Create Object” with “Update Existing User” (if the user exists). It might be that the user trying to be updated is member of a Role where you or the service account do not have access to “Update user in role”.
Thanks for your feedback.
Kristian was correct, the issue was that the user we were trying to update had two of the default roles “maintainer” and “developer”. When I removed these from the user manually, the service worked as expected