arcgis-python-api icon indicating copy to clipboard operation
arcgis-python-api copied to clipboard

Published 20 hours ago verified publisher icon Esri

item.reassign_to() fails with permission error, even though user has that privilege

Open harwelld opened this issue 2 years ago • 7 comments

Describe the bug Attempting to programmatically reassign content ownership, specifically a web map item. I have verified the user in AGOL has the "Reassign content" privilege, and can successfully change ownership through the AGOL UI. When done programmatically with the Python API (arcgis module v1.9.1), an exception occurs.

To Reproduce Steps to reproduce the behavior:

egp_agol_info = config_reader(config_path, 'egp_agol_info')
egp_agol_cnxn = connect_to_agol(egp_agol_info)
if egp_agol_cnxn.get('gis'):
    egp_agol = egp_agol_cnxn.get('gis')

map_id = '7abce623d0044cbaa0345ebd4385bebb'
map_item = egp_agol.content.get(map_id)
map_item.reassign_to('nbabel_nifc')

error:

Traceback (most recent call last):
  File "c:/dharwell/WPSAPS/FAM-IM-EGP-WPSAPS/test.py", line 22, in <module>
    map_item.reassign_to('nbabel_nifc')
  File "c:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\lib\site-packages\arcgis\gis\__init__.py", line 11260, in reassign_to    self.itemid, self._user_id, target_owner, current_folder, target_folder
  File "c:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\lib\site-packages\arcgis\gis\_impl\_portalpy.py", line 1666, in reassign_item
    resp = self.con.post(path, postdata)
  File "c:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\lib\site-packages\arcgis\gis\_impl\_con\_connection.py", line 1079, in post
    force_bytes=kwargs.pop("force_bytes", False),
  File "c:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\lib\site-packages\arcgis\gis\_impl\_con\_connection.py", line 625, in _handle_response
    self._handle_json_error(data["error"], errorcode)
  File "c:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\lib\site-packages\arcgis\gis\_impl\_con\_connection.py", line 648, in _handle_json_error
    raise Exception(errormessage)
Exception: You do not have permissions to access this resource or perform this operation.
(Error Code: 403)

Screenshots image

Expected behavior I expect the function to do what it's supposed to do: reassign content to another user.

Platform (please complete the following information):

  • OS: Windows 10
  • Browser: NA
  • Python API Version: 1.9.1

Additional context Add any other context about the problem here, attachments etc.

harwelld avatar May 12 '22 18:05 harwelld

Hello, is the account attempting to reassign an item an admin account? Since the API is calling the REST endpoint, we allow only administrators to reassign items. Please see the description here for more information.

If it is an admin account you are having this error with let us know and we can look into it more.

nanaeaubry avatar May 13 '22 21:05 nanaeaubry

Hmm, no the account is not an Admin, and I must have missed that line in the docs. However, let me ask this, what is the point of having granular privileges, and an API to perform actions, if the API is not going to honor the assigned privileges of the user? There is literally a privilege in our custom role called "Reassign content", and I can perform this action manually through the UI. Aren't there lot's of other methods in the Python API that call REST endpoints and work as expected?

harwelld avatar May 13 '22 22:05 harwelld

In this case we are following the documentation for the rest endpoint: https://developers.arcgis.com/rest/users-groups-and-items/reassign-item.htm

We call the reassign endpoint and if the user is not an admin, it is the endpoint that blocks the operation and returns the error.

We will look into further solution with the Rest Team but as of now the method works as documented and intended between the REST doc and the API. I will post any updates we get.

Edited after: Based on what is written here you are correct for the GUI side. We will investigate the endpoint further and see if there is an issue on the REST side.

nanaeaubry avatar May 13 '22 22:05 nanaeaubry

Can you post a set of permissions the user has?

print(gis.users.me.privileges)

achapkowski avatar May 16 '22 18:05 achapkowski

['features:user:edit', 'portal:admin:createUpdateCapableGroup', 'portal:publisher:publishFeatures', 'portal:publisher:publishScenes', 'portal:publisher:publishTiles', 'portal:user:createGroup', 'portal:user:createItem', 'portal:user:joinGroup', 'portal:user:joinNonOrgGroup', 'portal:user:reassignItems', 'portal:user:receiveItems', 'portal:user:shareToGroup', 'portal:user:viewOrgGroups', 'portal:user:viewOrgItems', 'portal:user:viewOrgUsers']

Like I said, this user DOES have the 'Reassign content' privilege, but the user is not the default 'Administrator' role. It just seems misleading and a bit poorly designed to break the privileges out like that but not have the API honor those privileges.

harwelld avatar May 16 '22 21:05 harwelld

Thank you for the information, we will continue investigating it and update here if we need any other info.

nanaeaubry avatar May 19 '22 15:05 nanaeaubry

Does the destination user have: portal:user:receiveItems ?

achapkowski avatar Jul 27 '22 16:07 achapkowski

@harwelld Let us know if you're still having problems with this issue. Closing pending further communication.

jyaistMap avatar Oct 25 '22 15:10 jyaistMap