Hello, I’m calling a cloud service that hasn’t changed in years. Calls worked about 30 times over a half hour this morning, then started failing with 14008, access denied errors. Calls using the Backendless Console with a fresh login fail the same way. Nothing has changed on my end, since this service was created. There are no errors logged.
The service is called ElitePayrollService, app id is 8149FCCE-07DA-F988-FFBB-6154872C9500.
Thank you
Hello,
Could you please provide instructions (and sample input data) so we can duplicate the error?
Regards,
Mark
Hi Mark,
A simple test would be to call the method “getQBT” with both parameters set to false in the API service console.
thank you - KO
I get “Access Denied” when I invoke that method, but the reason for that is because of the security permissions configured for that method.
I apologize, I may be missing the point - I noticed that the Authenticated user permission is also turned off, so I turned it on, and I still get Access Denied. I swear no one has changed permissions, and the calls were working 10 seconds before the first failure.
Yes, I see in our log the permissions for that service were modified last time in 2022. It looks like they were set to be denied for all roles, but granted to a few users with the special identities. We will need to research what triggered the permission change.
Let’s fix it through the console for now. How are the methods in this service accessed?
Does your web/mobile app call them?
Does it use a special login/identity?
It is a web app that interacts with the service using the APIServices.invoke route in the backendless SDK. There isn’t anything special about the logged in user, other than its expanded permissions.
I reset the permission for that endpoint and, apparently, can now access it just fine. I’m not sure yet if other endpoints were changed too, but it looks like I can give the account full access for the entire service with one click if they were - which is the desired behavior.
Whatever changed the permissions had to have done the deed 10 minutes before I logged this topic, hopefully it is logged somewhere.
Thank you for your help, Mark
Hello @Kelly_Oglesby
What I see in your Audit Log (Console - Manage - Security - Audit Log):
"timestamp": 1667064519618 (2022-10-29T13:08:39.618Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'AndroidUser' role.
"timestamp": 1667064522718 (2022-10-29T13:08:42.718Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'AuthenticatedUser' role.
"timestamp": 1667064525125 (2022-10-29T13:08:45.125Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'DotNetUser' role.
"timestamp": 1667064526991 (2022-10-29T13:08:46.991Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'FacebookUser' role.
"timestamp": 1667064528936 (2022-10-29T13:08:48.936Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'GooglePlusUser' role.
"timestamp": 1667064531058 (2022-10-29T13:08:51.058Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'GuestUser' role.
"timestamp": 1667064533218 (2022-10-29T13:08:53.218Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'IOSUser' role.
"timestamp": 1667064535253 (2022-10-29T13:08:55.253Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'JSUser' role.
"timestamp": 1667064537541 (2022-10-29T13:08:57.541Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'NotAuthenticatedUser' role.
"timestamp": 1667064539581 (2022-10-29T13:08:59.581Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'RestUser' role.
"timestamp": 1667064547924 (2022-10-29T13:09:07.924Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'ServerCodeUser' role.
"timestamp": 1667064550214 (2022-10-29T13:09:10.214Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'SocialUser' role.
"timestamp": 1667064552601 (2022-10-29T13:09:12.601Z)
Change 'ElitePayrollService' API Service permissions for all methods to DENY for the 'TwitterUser' role.
That’s why there was the following picture:
At the moment I don’t see a contradiction here, maybe I missed some point.
Regards,
Volodymyr
The service was supposed to be accessed only through one user account, “Admin,” which is why all of the role permissions are turned off. That user account successfully accessed the service dozens of times yesterday morning, then suddenly started denying access around 10AM.
After Mark pointed out the Role permissions, I checked the permissions for the user and it had access turned off. When I turned it back on, it started working. That’s all I know.
It’s working now, so we’re good, thank you.