Solved: Re: User API Error of Access Denied Code AML-109 - Qlik Community

jackm75 · ‎2023-11-16

I am calling an API endpoint to a data source in a space where the user has Can Consume Data as well as other permissions applied. This works just fine when I reload the app (creator/owner of the app, API and data source). However, when reloaded by the user who has seemingly proper permissions, she gets the below message.

What could I be missing?

Final note: For several months, I had a button click which called an automation passing variables and reloading the same app with no issues until recently. It now no longer passes variables, so I'm having to reload directly from the app with a button click. All to say that there is no issue with the load script or API, it's something odd with permissions.

The following error occurred:

Connector reply error: grpc::StatusCode::FAILED_PRECONDITION: 'Error while converting required format. Status(StatusCode="PermissionDenied", Detail="Error returned by endpoint: Forbidden [ { "code": "AML-109", "status": "forbidden", "issue": "no_access", "title": "" } ]")'

The error occurred here:

<tablename>: LOAD * EXTENSION endpoints.ScriptEvalStr('{"RequestType":"endpoint", "endpoint":{"connectionname":"<connection name>"}}', Actual_Data)

jackm75 · ‎2023-12-18

The solution was that even though the connection to the deployment was within the user's space (which has edit permissions), the user also needed to have 'Can Edit' permission to the space where the AutoML deployment resides. Once that was provided, the error issue was resolved. I created a shared space specifically to house the deployment as I did not want the users to have edit access to the main AutoML space.

View solution in original post

jackm75 · ‎2023-11-22

@KellyHobson or @akmelsyed would you have any insight to the issue?

akmelsyed1 · ‎2023-11-22

Hi @jackm75 . Can you outline in more detail which permissions they have at what level? I think they may require the "Can edit data in apps" permission. It allows to edit and reload data in apps, whereas "Can edit" only allows to reload data.

jackm75 · ‎2023-11-22

Within the space where the app is published, they have every permission available:

Can view, Can contribute, Can manage, Can consume data, Can publish

There is a data connection to the AutoML deployment within this space. I assumed having the data connection in the published space would handle permissions to the deployment. That said, one thing I haven't tried is giving Can consume data permission in the space where the deployment resides.

I'll make the change and have the user test it and report back.

jackm75 · ‎2023-11-22

The user attempted the reload and received the same AML-109 permission denied error as before.

akmelsyed1 · ‎2023-11-23

Sorry, but I think the best thing to do now is to open a ticket for us to better help you.

jackm75 · ‎2023-11-27

Thanks, @akmelsyed1 a case has been created.

jackm75 · ‎2023-12-18

The solution was that even though the connection to the deployment was within the user's space (which has edit permissions), the user also needed to have 'Can Edit' permission to the space where the AutoML deployment resides. Once that was provided, the error issue was resolved. I created a shared space specifically to house the deployment as I did not want the users to have edit access to the main AutoML space.

User API Error of Access Denied Code AML-109

SaaS