After updating user roles in our SAP IoT integration service (version 2.3), we’re getting 403 Forbidden errors when trying to access OData endpoints. The integration jobs that pull IoT data into our ERP system are all failing.
The error response shows:
HTTP/1.1 403 Forbidden
{"error": {"code": "INSUFFICIENT_PRIVILEGES",
"message": "User lacks required authorization"}}
We updated the OData role mapping to align with new security policies, but now the service account used by our integration jobs can’t access the thing data endpoints. User privilege assignment seems correct in the SAP IoT cockpit, but the integration job permissions aren’t being recognized. Did we break something in the role hierarchy?
I’ve seen this when custom roles override default permissions. If you created custom roles that don’t include the OData service permissions, you need to explicitly add them. The default ‘IoT_Thing_Read’ role includes OData access, but custom roles start with no permissions. Check if your new roles have the ‘sap.iot.odata’ permission attribute.
We didn’t touch the OAuth configuration, only the role assignments in the user management. Where do we configure these scopes? Is this in the service binding or somewhere in the IoT cockpit?
Check your service key configuration. When you create a service instance for OData access, you specify the required scopes in the service key parameters. If you updated roles but the service key still has the old scope definitions, you’ll get 403 errors. The role and scope need to be aligned - having the role without the matching scope won’t work.