I am trying to get the proper access token using API client. The API client has the following scopes enabled.
Scopes:
sp:scopes:default
sp:scopes:all
idn:identity-request-service:manage
idn:identity-request-service:read
idn:service-desk-admin:manage
When I use the generated token I get the following:
{"detailCode":"403 Forbidden","trackingId":"bdeec483d4e94341877f2af275684ceb","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"The server understood the request but refuses to authorize it."},{"locale":"und","localeOrigin":"REQUEST","text":"The server understood the request but refuses to authorize it"
}
When I get a token from the a UI session my get and/or post for service-desk-integration works.
I have also tried using a personal token…
For starters, you should only use sp:scopes:all if you want to grant all permissions to the user. The way you have your scopes assigned now means that the user will have access to everything in their user level. If you actually want to limit the user to a subset of scopes, then only apply the following:
idn:identity-request-service:manage
idn:identity-request-service:read
idn:service-desk-admin:manage
As for your forbidden message, it could be one of two issues. If you are creating a personal access token (PAT), make sure the user level is appropriate as described here:
If you are creating OAuth credentials with the client credentials grant type, then you should know that client credentials is very limited in what APIs it can call. You are almost always better off using a PAT or using the authorization grant type.
Hi Richard,
For Service Desk Integrations Admin Level Permissions are required. As per my understading we cannot use API client for this integration. Please create a Service Account and give him Admin permission and then generate the PAT for the same and use in the integration.
Thank you all. It turns my id has a permission issue. I created a new admin account and was able to generate the client id with the proper rights. Sailpoint is working on the issue.
