Collapse
Submit a Service Request
Contact Information for Technical Support
My Service Notifications
REST API requests for accounts data without having delete permissions
Answer ID 12441 |
Last Review Date 10/03/2022
How can users make REST API requests to get full accounts data without also having the ability to delete accounts?
Environment:
Oracle B2C Service version 22A and higher
REST API requests for accounts data
Issue:
Prior to version 22A, accounts in profiles without "Groups / Accounts / Distribution Lists" set were able to use REST object query requests to get full accounts data without having the permission to delete accounts. In versions 22A and later, to get full account data, accounts need to be in a profile with "Groups / Accounts / Distribution Lists" set, these accounts have the permission to also delete accounts
Resolution:
There are ways to get some account object data for users in profiles that do not have "Groups / Accounts / Distribution Lists" set and those profiles do not have the ability to delete accounts.
1. services/rest/connect/v1.4/accounts/ <---- returns id and lookupname all accounts
2. services/rest/connect/v1.4/accounts/?q=id>2 <---- returns id and lookupname for accounts with an id above 2
3. services/rest/connect/v1.4/accounts/?q=id=<user's account ID> <---- returns id and lookupname
4. services/rest/connect/v1.4/accounts/?q=id=<other ID> <---- returns id and lookupname
5. services/rest/connect/v1.4/accounts/<user's account ID> <---- returns user's full account info
2. services/rest/connect/v1.4/accounts/?q=id>2 <---- returns id and lookupname for accounts with an id above 2
3. services/rest/connect/v1.4/accounts/?q=id=<user's account ID> <---- returns id and lookupname
4. services/rest/connect/v1.4/accounts/?q=id=<other ID> <---- returns id and lookupname
5. services/rest/connect/v1.4/accounts/<user's account ID> <---- returns user's full account info
This object query fails:
6. services/rest/connect/v1.4/accounts/<some other user's account ID> <---- fails with error "Not Allowed: No permission granted to Read Account.
6. services/rest/connect/v1.4/accounts/<some other user's account ID> <---- fails with error "Not Allowed: No permission granted to Read Account.
For users in those profiles additional account data can be returned by using tabular queries similar to below and the users in those profiles will not be able to delete accounts.
7. services/rest/connect/v1.4/queryResults?query=select ID,login,name.*,phones.* <-- add whatever columns you want --> from accounts where id=<other ID>
The below link is for the documentation for queryResults tabular queries.
Also a custom report could be created for account data and an analyticsReportResults REST request can be used that
Cause:
Change in how object permissions are handled in version 22A and higher.
