topic Permission Denied When Exporting and Downloading App in Integration, Extension & APIs

Permission Denied When Exporting and Downloading App

Stentone — Thu, 07 Mar 2024 14:31:14 GMT

I am attempting to set up an OAuth client that can be used to programmatically export and download an app from a shared space via the Qlik Cloud REST API.

I am successfully able to run the export POST request, "https://<tenant>.<region>.qlikcloud.com/api/v1/apps/<appId>/export", and receive the location header specifying a temp-contents ID. However, when I try to get the file from temp-contents endpoint via GET "https://<tenant>.<region>.qlikcloud.com/api/v1/temp-contents/<id>", I receive a response with a "404 Not Found" status with the following body:

{ "traceId": "a5075a43661a3dde6633722c7ed6e8b5", "errors": [ { "code": "TCS-012", "title": "Unable to retrieve metadata", "detail": "Metadata can't be retrieved", "meta": { "locale": "en-US", "errorType": "Error", "sourceErrors": "permission denied" } } ] }

While it is returning a 404 error, the body's message suggests the client does not have sufficient permissions. I get the same error when trying the "/temp-contents/<id>/details" endpoint.

The client has the 'Analyzer' entitlement with the 'Tenant Admin' role. It is of type 'Web', has the M2M option checked, and has the trusted consent method.

It has access to the 'admin.apps:export' and 'admin.apps:read' scopes as well as the "Can view" and "Can edit" space permissions in the shared space that the app I'm trying to export resides. I've also tried different combinations of space permissions and OAuth scopes to no avail.

My testing workflow has been to retrieve a token via "https://<tenant>.<region>.qlikcloud.com/oauth/token" with the previously mentioned scopes and use that to authenticate for the export and temp-contents requests.

Am I missing something here? Is there a way that I can debug and evaluate permissions for this, or view what's available in the temporary content service?

Any help would be appreciated!

Re: Permission Denied When Exporting and Downloading App

wow0609 — Fri, 26 Apr 2024 16:17:11 GMT

We have the same issue. We initially went about it a different way outlined in this post: https://community.qlik.com/t5/Security-Governance/Qlik-Embed-Chart-Table-ExportData-throws-quot-Access-Denied-quot/m-p/2440829#M2081

But got no responses. In the meantime, we rewrote the export/download logic to follow your example above.

What is interesting is that this works for us in the Microsoft EDGE browser, but fails with the TCS-012: Permission Denied, Metadata can't be retrieved message.

So, if any Qlik folks can chime in here, or if the OP has found a solution, we are all ears!

Re: Permission Denied When Exporting and Downloading App

Dave_Channon — Sun, 28 Apr 2024 15:32:29 GMT

@Stentone does it work if you use the same OAuth token for both requests? And does it work if the OAuth client has the admin_classic scope?

Re: Permission Denied When Exporting and Downloading App

Stentone — Mon, 29 Apr 2024 18:05:45 GMT

Hey @Dave_Channon, I am using the same OAuth token for both requests when the error comes up. Since then, however, I've been able to get it to work by either providing the 'admin_classic' scope (as you mentioned) or the 'user_default' scope.

The combination of scopes that I am currently using and are working are the following:

user_default
spaces.shared:read
spaces.managed:read
spaces.data:read

I've kept everything else, space permissions and the like mentioned in the original post, the same.

I'd like to follow the suggestions in the documentation to avoid the use of 'user_default' and 'admin_classic' in favor of least privilege principles, but it seems at least one of the two, from my experience, is required. I am open to trying other configurations if you have suggestions though!

Re: Permission Denied When Exporting and Downloading App

Stentone — Mon, 29 Apr 2024 18:11:13 GMT

Hey @wow0609 , thanks for your response. I feel a bit better that someone else has ran into the same issue. I did eventually get it to work which I mention in my previous response to Dave, but I'll highlight again what worked for me if you'd like to replicate it.

Basically this combination of scopes, and keeping all the other configurations like space permissions the same as my original post, is what does it for me:

user_default
spaces.shared:read
spaces.managed:read
spaces.data:read

It's not my favorite solution since it uses 'user_default', but it gets the job done.

Re: Permission Denied When Exporting and Downloading App

Dave_Channon — Thu, 13 Jun 2024 00:47:54 GMT

A quick update - I haven't forgotten about this. We'll provide a solution that supports this, but we have a few things to fix first. My intention is that we provide a scope that allows you to export an app, which supports the end-to-end flow 👍

Re: Permission Denied When Exporting and Downloading App

Dave_Channon — Thu, 11 Jul 2024 09:33:21 GMT

Hi @Stentone this has now been fixed. An OAuth user who has access to the space via membership will be able to export apps in that space with two non-admin scopes:

apps:export
apps:read