Best Answer

Does your Level Affect Your Ability to Use APIs to Get Report Data?

  • 28 February 2024
  • 11 replies
  • 69 views
JKolodner
Rank
Userlevel 5
Badge

I have SuperAdmin access. When I try to use APIs to access a report I created:
 

It appears that I get the data fields I expect to see (although I’m not sure about the pagination and how to get all of the records in my JSON file, tbh).
 

Employee ID
Username
First Name
Last Name
Email
Enabled
Deactivated
Direct Manager
Supervisor Name
Preferred Name
Manager Permissions
Supervisor Email
2nd Level Manager Name
2nd Level Manager Email
3rd Level Manager Name
3rd Level Manager Email
State
Location Code
Location Name
Employee Type
Worker Type
FT/PT
First Hire Date
Last Hire Date
Acquisition Date
Job Family
Job Code
Job Title
FLSA Type Code
Cost Center Hierarchy
Cost Center ID
Cost Center
Channel
Company
Vendor Company
Division
Term Date
Branch Name
Is Remote
Time in Role
Country
Training Exemption
Manager Status


I have set up a login for my IT colleague who is much more knowledgeable about APIs than I am. When he uses the same API, he gets a very limited selection of data fields (I’ve replaced values with xxx):

      {
            "Username": xxx,
            "First Name": "xxx",
            "Last Name": "xxx",
            "Email": xxx,
            "Deactivated": "xxx",
            "Direct Manager": "xxx",
            "Manager Permissions": "xxx",
            "Branch Name": "xxx"
        },

 

It’s my suspicion that I can see more than he can because I’m a SuperAdmin.

Is that likely?

Is there a PowerUser Profile I could set up that would give him the access he needs?

icon

Best answer by John 28 February 2024, 18:13

View original
Jennifer

11 replies

lrnlab
Rank
Userlevel 7
Badge +7

very possible...can you make them a super admin and test it again?

JKolodner
Rank
Userlevel 5
Badge

He already was a Power User. I’ve updated his Power User Profile and I’m asking him to try again.

Jennifer
JKolodner
Rank
Userlevel 5
Badge

Then, we’ll try for SuperAdmin if we need.

Jennifer
John
Rank
Userlevel 5
Badge +2

Hey @JKolodner! Docebo leverages OAuth scopes and grants to allow access to the API, so the endpoints are following a role-based access model by default. You could look at expanding the permissions of the power user, to cover both the course, users, and reports area, or go full access with a Super admin user making the API calls.

You can emulate this in the Docebo API Browser while logged in as any level user and authenticating before making a call. If your permissions allow viewing, the results will indicate that. 😊

JKolodner
Rank
Userlevel 5
Badge

Good to know, thanks @John.

Working on it now.

Jennifer
Bfarkas
Rank
Userlevel 7
Badge +3

Good to know, thanks @John.

Working on it now.

For the API direct access, you always need to be a super admin, the only ways I have around this leverage the iframe widgets with advanced settings turned on, there is a token process you can exchange quickly for a usable API token, which can basically empower a standard user to use the API in the background. It’s one of my favorite tricks.

John
Rank
Userlevel 5
Badge +2

Hey @Bfarkas!

For the 7.0 API, you actually don’t have to be a Super admin to invoke it… you can see this in a small note within our KBA on authentication (“system requires specific user permission”):

If you consider the fact that the public API shown on API-Browser listings are used inside the product directly, users are calling these endpoints naturally as they navigate the platform’s UI. Here’s a short video to showcase a Power User calling the GET manage/v1/users endpoint.


While I wasn’t able to capture the token request in Chrome’s Developer tools window (it closes too fast to capture the request), it does make a call to a backend OAuth 2.0 app service that we use in order to login as your user and obtain a token.

Further, as another example one recommendation we make for clients implementing Flow is that they must implement a JWT authentication flow. This is key in order to determine which user should see the launcher and thus what data we show back (that they are configured to access based on all the normal administrative assignments you might make for courses, LPs, Catalogs, etc…).

I hope it helps. By all means I’m not a developer by trade but have seen some things so thought I’d share with the group! 😂 

John
Rank
Userlevel 5
Badge +2

TBH, backtracking a bit, the comment/note in blue may indicate that the API-Browser’s backend must use a certain type of OAuth authentication flow to work. So, I read it as you “cannot simulate client credentials grant type in that type of authorization scenario/within the API-Browser experience.

For machine to machine authentication, client credentials authorization for OAuth 2.0 is what I see being most recommended. I found this article on Medium to be a good refresher on all the “options”. In addition, this conversation was an interesting one to read with a case considering PowerShell scripting, on behalf of another user, leveraging client credentials grant type..

Bfarkas
Rank
Userlevel 7
Badge +3

@John I know I know, it’s the nuance, what I have found is when most people are talking about accessing the API though it is just the browser, or direct access postman which is usually(and easier to keep clear) just super admins, should have been clearer. That chrome token piece is in the realm of my iframe trick too, and yes it happens crazy fast! One of my fun things to try and demo to folks live!

 

John
Rank
Userlevel 5
Badge +2

So right and great points all around, as always, Brian!

DYK… there are also Course Additional Field & Enrollment Additional Field iFrames you could leverage to do “neat” (nerdy) things like you’ve mentioned (assuming you’re referring to the salt secret)? 😁

Bfarkas
Rank
Userlevel 7
Badge +3

So right and great points all around, as always, Brian!

DYK… there are also Course Additional Field & Enrollment Additional Field iFrames you could leverage to do “neat” (nerdy) things like you’ve mentioned (assuming you’re referring to the salt secret)? 😁

100% I’ve never had to actually go to production with the additional fields, but have played with them. I have often done the Course widgets though, customized inline support on every course page :)

Reply


Terms & ConditionsCookie settings