App Registration | Upload App Roles | 403 Forbidden | App manager is unable to register an App

typecastcloud commented 2 days ago

Current Behavior

API returns 403 error forbidden while uploading the required file. https://portal-backend.entry.cofinity-x.com/api/apps/AppReleaseProcess/b6efcea6-d871-4f3c-a33b-0ea48a7a26ce/roles

Request Method: GET

Status Code: 403 Forbidden

Expected Behavior

App Manager can upload App Roles document.

Steps To Reproduce

Login to portal as App manager
Navigate to App Management ---> App Release Process → Register you App
Create App and proceed the next steps
On Technical Integration, upload the User Role file
Hit “Upload App roles“

Finding

App Manager is missing the role: view_client_roles from Cl2-CX-Portal required to access GET endpoint https://portal-backend.entry.cofinity-x.com/api/apps/AppReleaseProcess/{appid}/roles

evegufy commented 2 days ago

Hi @typecastcloud thanks for reporting, I can reproduce the issue and yes, adding the role view_client_roles to App Manager would solve it.

The endpoint was introduced with our latest version (2.0.0): https://github.com/eclipse-tractusx/portal-backend/pull/633/files#diff-01c4a6a7c5ebe2470acb750a3f512fe7694120e9285046443a9a916db3de244eR508

But the R&R concept doesn't cover it

@jjeroch was it simply missed to add t view_client_roles to App Manager in the the cx-central realm or is the authorization on the endpoint not correct?

jjeroch commented 2 hours ago

Recheck done, this issue is (as already assumed by @evegufy) on the endpoint side. view_clinet_roles is supposed to get used when it comes to actual role assignment. Since the App Manager is not supposed to assign roles to company users, the permission is not expected to be assigned. Instead the permission of the following endpoints need to get switched

GET /api/apps/AppChange/{appId}/roles => new permission validation edit_apps
GET /api/apps/AppReleaseProcess/{appId}/roles => new permission validation add_apps

eclipse-tractusx / portal-iam