As an admin, I created a role to access workspace content and have been trying to access workspace content by pointing an application to a user with that role.
But I see the error “workspace role for workspace *************** not found”, User not permitted to perform this action.
What is missing, why is the user not permitted to perform the action.
Hi @boddubr, welcome to the developer community!
As an admin, I created a role to access workspace content and have been trying to access workspace content by pointing an application to a user with that role.
Even as an admin, both organization admin or instance admin, we do not allow access to the content of workspaces unless you are the workspace owner or a workspace collaborator. This is by design for security reasons. An org admin can manage what users are members of an org and general organization management, but can never directly access the content in workspaces unless given explicit permissions from the workspace owner.
A few questions:
We are trying to audit workspaces for content which is not meeting the compliance requirements.
I added a user with org admin role as a collaborator for a workspace to test and created a new app. I am using the credentials of that app to access the workspace content.
Sorry you are having trouble.
A few more questions to help troubleshoot what could be going on:
Are you able to access the workspace with our UI when logged in as the user you created as a collaborator of the workspace?
How are you generating the bearer token for API calls?
Can you provide the API call you are making that is causing you trouble (either REST or graphQL)?
Can you confirm that the bearer token you are using is tied to the correct user needed to access the workspace with:
GET {{API_path}}/v3/users/me
example curl:
curl --location --request GET 'https://api.apps.us.bluescape.com/v3/users/me' \
--header 'Authorization: Bearer <yourToken>
You can also verify the user’s role with:
{{API_path}}/v3/users/me/role
Or verify the user’s accessible workspaces to verify the user has access to the workspace:
GET {{API_path}}/v3/users/me/workspaces
For 1. Yes
For 2. I am using app’s id and secret and using identity-**********/api/v2/oauth2/token to get the token
For 3. elements query is what i was trying using graphql
For 4. I see the right user in /me
For 5. I see the permission in the role. This is from a custom role.
"permissions": [ "can_list_users", "can_list_organizations_2", "can_list_workspaces", "can_list_workspace_collaborators", "can_list_organization_roles", "can_list_workspace_roles", "can_list_template_roles", "can_list_tos", "can_create_tos", "can_edit_tos", "can_delete_tos", "can_list_user_tos", "can_list_all_custom_link", "can_download_workspace_content", "can_view_workspace_content" ]
For 6. I do not see the workspaces.
and this is the error I see
{'errors': [{'name': 'ForbiddenError', 'message': 'workspace role for workspace 9iJvJBjMNxmDjeYgRYaL not found: {"requestId":"094ed706-c1b9-4516-8c04-8821a6cbfe7e","uuid":"04abe2ab-e874-47be-919a-48384aa6130d","code":"UserForbidden","message":"User not permitted to perform this action"}', 'statusCode': 403}]}
All the management api’s work fine but content api’s do not seem to work even though I have right permissions. I also have the user added as editor for the workspace but still the query does not work.
It’s interesting that you aren’t able to list your own workspaces from /v3/users/me/workspaces, you must have something wrong with your custom role.
A few more follow up questions:
For 2. I am using app’s id and secret and using identity-**********/api/v2/oauth2/token to get the token
For 4. I see the right user in /me
And this is the org admin user? Or is this the user that is added as the workspace collaborator?
For 5. I see the permission in the role. This is from a custom role.
What is the resource type for the custom role? How did you create the role? Can you try switching back to the default role?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.