FYI (annnnd also to bump this post)… it took many tries to get that far, so I cold be missing something simple.
Running the EFx in the UI as the service account user required giving additional permissions I never needed before, to include one of the Function developer-type groups.
I could be missing something still, but I feel like if I could run it as that user in the UI, then API should not be different.
Lemme see if I can run a different Function from the same library. I feel like I tested that already, but it’s a blur now.
There’s a checkbox in User Account Maint. under System Access to “Allow API V1”.
Is that checked for your service account?
I think turning this off per user was added in 2024.1. Old users were grandfathered in with the checkbox checked. New users default to this being false.
Had another thought… I don’t use Access Scopes, so I’ve been reading up on them.
Did you add the Access Scope to the API itself? Since your user can run it and schedule it in the UI… I agree it is the API that can’t reach it.
My understanding is that you would assign the Access Scope to the API… add the Library to the Access Scope. You shouldn’t HAVE to add the Access Scope directly to the library itself.
Can you take the Access Scope off and test whether your Service Account can then schedule it via Postman? That would tell you if it is the Scope that is the issue.
My thoughts are when you do it internally via the UI, you’re authenticating with the UserID and its Access Scope. But when you’re using API/Postman, you’re authenticating via the API so the Access Scope assigned there is controlling.
So I knew all of that, but you made me take a second look and, well, you are right.
So, as a rule, I (personally) never specify the Functions in Access Scope; I just add the library and leave the function area blank, which implicitly allows all functions (inheritance style). Whereas if you specify any Functions, it serves to exclude all others in the library.
And I assumed that was the case here. Nope. I think this was one a former coworker did, and she itemized the Functions. So when I created a new Function, it was not here in the list, thus denying the access.
I even thought about asking whether you were explicitly declaring functions within the Library or not… but figured you knew a hell of a lot more about these things than I did, haha. I didn’t want to ask too much of a newb question.
Yep, same deal if you start specifying the Business Objects and Methods. I definitely recommend doing that though, it is best security practice and it helps you keep everything clean.
I get the wisdom, but, oh I don’t know I guess I am pretty proud to have access scope at all!
You know the flip side of all of that is that you really need to assign at least one BO (“service”), BAQ, and Function Library to all Access Scopes.
Meaning, if you specify a BAQ but leave the services empty - like I always do - you essentially have closed the front door but left the garage door wide open.
