Our automated incident notification system is failing with RBAC permission denied errors when calling Qualio’s incident management API endpoints. The service account has been granted the ‘Incident Manager’ role, but API calls consistently return 403 Forbidden.
POST /api/v1/incidents
Authorization: Bearer eyJhbG...
Response: 403 Forbidden
{"error": "RBAC_PERMISSION_DENIED",
"message": "Service account lacks required permissions"}
We’ve verified the service account scope configuration includes ‘incident.write’ and ‘incident.read’, but the API gateway seems to reject the token claims. The role-to-permission mapping appears correct in the admin console, but something in the token claim validation is blocking our requests. Has anyone encountered similar RBAC issues with service accounts in qual-2022.1?
Double-check your API gateway RBAC policies. In qual-2022.1, there’s a known configuration issue where API gateway policies don’t inherit role permissions from the main Qualio instance. You might need to explicitly define the service account’s permissions in the API gateway configuration file (api-gateway-rbac.xml). This is separate from the role assignments in the Qualio admin UI.
I had this exact problem last month. The ‘Incident Manager’ role grants UI permissions but doesn’t automatically include API permissions in qual-2022.1. You need to explicitly assign API-specific roles to service accounts. Navigate to Admin → Service Accounts → API Permissions and grant ‘API Incident Writer’ role in addition to the standard ‘Incident Manager’ role. The permission model separates UI roles from API roles for security reasons.
Check if your service account token includes the required audience claim. API gateway RBAC policies often validate the ‘aud’ claim to ensure tokens are intended for API access. Your service account might be configured for UI access only, not API access.