ScienceLogic rest api x-em7-run-as header validation
We discovered that after updating our SL1 platform from 12.1 to 12.3 that the validation of the rest api request header "X-EM7-RUN-AS" has changed and is now more strict.
In SL 12.1, we can (for example) delete an event using admin credentials and use the x-em7-run-as header to actually execute the request on behalf of a different user (in our scenario we use a customer-specific account). We used '/api/account/<accountid>' as a value for this header.
Since SL 12.3 (or somewhere after 12.1), we noticed that '/api/account/<accountid>' is no longer accepted: any rest api call using the x-em7-run-as with value '/api/account/<accountid>' will return a HTTP 401 Unauthorized with corresponding message:
{
"errors": [
{
"errorcode": "NO_AUTH",
"message": "Valid authentication credentials not provided"
}
],
"messages": [],
"resource_body": null
}
However, if I simply put '<accountid>' as the value for this header, the request succeeds.
Can you please improve the documentation (https://docs.sciencelogic.com/api-developer-docs/Content/Web_Content_Dev_and_Integration/ScienceLogic_API/methods_headers_and_responses.htm#request-headers) and specify that the value for this header must be a number which matches a real user in the system.
Also, the request also fails when using an account id value and that account is Inactive. Would be nice to read it in the docs.
error message when trying to execute an action on a suspended user:
{
"errors": [
{
"errorcode": "NO_AUTH",
"message": "Account \u0027em7admin\u0027 failed authentication due to 1 account restriction(s)"
}
],
"messages": [
"This account is marked as \u0022inactive\u0022"
],
"resource_body": null
}
Hi Tom. After doing some research, it looks like this change in functionality occurred in 12.3.0. I have created a backlog ticket to get this info updated in our API documentation. Thank you for bringing it to our attention.