I am getting a 403 not authorized error with this call -> /d2l/api/lp/1.2/users/ and all it's variations with query parameters.
I have checked the permissions: Search for student, instructor, tutor, etc. and all the UIPs at Organization and Course Offering level for the calling user's role. All are enabled. I've cascade enrolled this user from organization level to all levels. What am I missing which needs to be enabled to make this call work?
Yes -- this is almost certainly that your calling user context doesn't have the permissions in place to make the call, for some reason. We do have this call working fine in our test environments, so I would encourage you to report this through D2L's support desk, and note that it's an API calling issue. You can help move it along significantly if you can provide a packet trace (via Fiddler or Wireshark) of a successful API call, and the not-good call, both outgoing request and response back along with your incident.
If, after opening the incident, you can report the INC number back here in a comment, I can try to expedite assistance at our end.
Well, It was a permissions issue and the call -> /d2l/api/lp/1.2/users/ needed the "User Management Tool" (something like that) permission, which my calling user didn't have at the root organization level. I was also getting an empty result set for the call -> /d2l/api/lp/1.2/enrollments/orgUnits/{OrgUnitID}/users/ this needed the "View User Enrollments" permissions again at the root level.
After enabling those 2 permissions, I'm able to get the expected results.
Related
I am trying to collect all active TIs via the Beta Graph API by following this. But it doesn't return anything. Here is what I use in Postman:
https://graph.microsoft.com/beta/security/tiIndicators
Response (200):
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#security/tiIndicators",
"value": []
}
A bit of context for the environment I work in.
The tenant has multiple Sentinel workspaces & resource groups.
The application I use has the correct permissions:
ThreatIndicators.Read.All
ThreatIndicators.ReadWrite.OwnedBy
ThreatSubmission.Read.All
ThreatSubmission.ReadWrite.All
It is my current belief that this might be due to the limitations of the Beta API. My reasoning is that accourding to this documentation you need the ThreatIndicators.ReadWrite.OwnedBy permission to access the API. This would suggest that currently you can only view TI's that the resource itself created.
If more info is needed just ask.
According to the documentation, ThreatIndicators.ReadWrite.OwnedBy permission allow you to manage threat indicators your app creates or owns.
If you want to read all the threat indicators for your organization then your app needs ThreatIndicators.Read.All permission.
Although this is not a solution to the question it is a workaround. By using the Log Analytics API you can get the TI via a KQL.
ThreatIntelligenceIndicator
| where ExpirationDateTime > now() and
NetworkIP matches regex #"^(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$" and
ConfidenceScore > 25
| summarize by NetworkIP
This is probably better as you can also use a watchlist to exclude specific IP addresses with one request.
One thing I struggled with this was Authorization. You must give your Application permission to use the api.loganalytics.io API, and the application needs the Log Analytics Reader role in the Log Analytic workspace you want to use.
I am running Jira on docker. And making a simple rest API call to make a new project.
But I am getting an error "You must specify a valid project lead".
I AM indeed specifying a valid user called "userOne" that I have made on my server.
Can someone help me out what the problem is?
I have attached a picture of the POST request that I am making
and the response that I am getting.
Additionally: the user that I am trying to make as a the lead is an ACTIVE user,
The screeenshot for that is attached below too.[in case that is something that can cause problems]
userOne is the full name of your user. The endpoint is expecting the username (which is unique across the whole instance), try changing it to user1.
I'm trying to use the Microsoft Graph explorer to retrieve my own tasks: https://graph.microsoft.com/v1.0/me/planner
But it's returning: "Failure - Status Code 403. Looks like you may not have the permissions for this call. Please modify your permissions."
How can I fix this without having sitting the administrator physically next to me? Besides that I don't know at this moment who this could be anyway.
Why I need those permissions anyway since I'm only requesting my own tasks?
Indeed, there is no other option than admin consent to Group.Read.All. Finally figured who could to that in the organisation. Still strange you need admin consent for your app to read your own tasks.
When I make API calls to the server, I'm getting 404 errors for various data -- grades, role IDs, terms -- that I won't get on the next time I call it. The data's there on the server, viewable by the same user, and is often returned successfully, but not every time. The same user context will return data successfully for other calls.
Any ideas what could be causing this?
I'm using the Valence API with the Python client library and our 9.4.1 SP18 instance of Desire2Learn in a non-interactive script.
more detail: the text it returns on the bad 404s is " ErrorThe system cannot find the path specified."
It would help enormously to gather data about your case: packet traces that can show successful calls from your client alongside unsuccessful calls, in particular, would be very useful to see. If you are quite certain (and I see no reason you shouldn't be from your description) that you're forming the calls in the right way each time you make them, then the kind of behaviour you're noticing would seem to speak to some wider network or configuration issue: sometimes your calls are properly getting through the web service layer, and sometimes they are not -- this would seem therefore not to be down to the way you're using the API but in the way the service is able to receive that request.
I would encourage you, especially if you can gather data to provide showing this behaviour, to open a support incident with Desire2Learn's help desk in conjunction with your Approved Support Contact, or your Partner Manager (depending on whether you're a D2L client or a D2L partner).
I have a Microsoft Teams daemon service app with application-level permissions. I can call GET on urls like https://graph.microsoft.com/v1.0/users and it works fine.
However, if I want to get something like https://graph.microsoft.com/v1.0/users/me/onenote/notebooks/getRecentNotebooks, I get InvalidAccessToken even though I have permissions enabled for it in my daemon app. I've tried eliminating the me from the url, replacing it with my tenant address, users, users/uid, myOrganization, etc, but I get Error 400 in those cases. No combination I've tried seems to work.
What is the proper format for calling urls like this for a daemon service app with application-level permissions?
In an application context 'me' doesn't mean anything. There's no user authenticated so the access token doesn't give your application access from the viewpoint of a particular user.
Instead of /users/me/, call Graph with /users/user-guid/ or /users/user-principal-name. For example, https://graph.microsoft.com/v1.0/users/ce900c69-ac07-450a-ad2f-f56e42ee621e/onenote or https://graph.microsoft.com/v1.0/users/jon#doe.com/onenote
Docs: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
Edit:
Also check out the Graph explorer for samples like this: