Resource management API returns 403 forbidden error when assigning operators to machines

kumar_techie · August 29, 2025, 12:22pm

Our shift handover automation is failing with 403 errors when trying to assign operators to machines via the resource management API. The API user has ResourceManager role but still gets forbidden responses.


POST /api/v1/resources/machines/M-1001/assign
Payload: {"operatorId": "OP-2345", "shiftId": "SHIFT-A"}
Response: 403 Forbidden - "Insufficient permissions for resource assignment"

Manual assignments through the UI work fine, so it’s definitely an API user permissions issue. We’ve checked role-resource mapping in the admin console and the service account appears to have the right roles. Could this be related to API gateway policies or do we need additional permissions beyond ResourceManager for automated assignments?

giovanni_sql · September 1, 2025, 11:52am

We hit this exact issue last year. The problem is that the API uses different permission checks than the UI. The UI inherits permissions from your user session, but the API checks explicit resource-level grants. You need to add the API user to the resource’s ACL (Access Control List). In the Resource Management console, select the machine, go to Security tab, and add your service account with ‘Assign’ permission. This is separate from the role-based permissions.

ricardo_dev · September 9, 2025, 8:09pm

This is a multi-layered permissions issue that’s common with automated shift handover in Apriso 2021. Let me break down all the permission requirements:

1. API User Permissions (Role-Based) The ResourceManager role is necessary but not sufficient. You need:

ResourceManager role (you have this)
OperatorAssignment permission (separate from ResourceManager)
ShiftManagement permission (for accessing shift data)

Verify by running:

SELECT r.ROLE_NAME, p.PERMISSION_NAME
FROM USER_ROLES ur
JOIN ROLES r ON ur.ROLE_ID = r.ID
JOIN ROLE_PERMISSIONS rp ON r.ID = rp.ROLE_ID
JOIN PERMISSIONS p ON rp.PERMISSION_ID = p.ID
WHERE ur.USER_ID = 'your_api_user'

2. Role-Resource Mapping (Object-Level) Even with correct roles, you need explicit resource access. The API gateway policies in 2021 enforce object-level security that the UI bypasses for interactive users.

Add resource-level grants:


POST /api/v1/security/resource-grants
{
  "userId": "api_service_account",
  "resourceType": "MACHINE",
  "resourceId": "M-1001",
  "permissions": ["READ", "ASSIGN_OPERATOR"]
}

3. API Gateway Policies In Apriso 2021, there’s a known configuration issue where the API gateway applies stricter policies than intended. Check your apigateway.properties:

apriso.api.security.enforceResourceACL=true
apriso.api.security.allowRoleInheritance=true

If allowRoleInheritance=false, the API won’t recognize your ResourceManager role’s implicit permissions. Set it to true and restart the API gateway service.

4. Shift Handover Automation Specifics For automated assignments, you also need:

The operator must be in AVAILABLE status
The machine must be in IDLE or READY state
The shift must be currently active (not future or past)
The operator must have active qualifications for that machine type

Add these checks before your assignment call:

// Validate operator status

const operator = await api.get(`/operators/${operatorId}`);

if (operator.status !== 'AVAILABLE') {

  throw new Error('Operator not available');

}

// Validate machine state

const machine = await api.get(`/machines/${machineId}`);

if (!['IDLE', 'READY'].includes(machine.state)) {

  throw new Error('Machine not ready for assignment');

}

// Then proceed with assignment

5. Service Account Configuration Create a dedicated service account with the correct permission bundle:

Go to Admin Console → Security → Service Accounts
Create new account: `shift_automation_api
Assign permission bundle: “Resource Assignment API”
Generate API key with scopes: `resource:read resource:assign shift:read Testing the Fix

Apply the role-resource mapping grants
Update API gateway properties
Restart API gateway service
Test with explicit permission check:


GET /api/v1/users/current/permissions?resource=M-1001

Should return: `[“READ”, “ASSIGN_OPERATOR”] 5. Retry your assignment with updated credentials

This comprehensive approach addresses all permission layers. The 403 error typically means you’re missing the object-level grant (step 2) even though you have the role-level permission (step 1).

ritu_dev · August 29, 2025, 2:12pm

Check if your API user has permissions at the plant/area level, not just the role. In 2021, resource assignments require both the ResourceManager role AND explicit plant-level permissions. Go to Security → Users → [your API user] → Plant Access and verify the machine’s plant is listed.

michelle813 · September 2, 2025, 11:53pm

I’d verify the shift ID is valid and active. Sometimes 403 errors are misleading - the real issue is that you’re trying to assign to a shift that doesn’t exist or is closed. The API should return 404 but in some versions it returns 403 instead. Try querying the shift first with GET /api/v1/shifts/SHIFT-A to confirm it exists.

chris_func · September 1, 2025, 9:07pm

Are you using OAuth tokens or basic auth? We found that OAuth tokens in 2021 don’t automatically inherit all role permissions due to a scope limitation. You need to explicitly request the ‘resource:assign’ scope when generating the token. Also check your API gateway - if you’re going through a reverse proxy, it might be stripping authorization headers or adding additional policy checks.

Topic		Replies	Views
Shift assignment workflow not updating operator roster in resource management AVEVA MES question , resource-mgmt , workflow-process , am-2021-2 , workflow-debugger , roster-sync , resource-shortage , operator-id , shift-mapping	5	0	January 4, 2026
Resource management API: batch assignment endpoint vs single assignment with loop DELMIA Apriso MES discussion , resource-mgmt , api-development , performance , rest-api , error-handling , dam-2021 , batch-operations , shift-management	5	0	September 11, 2025
Labor shift template not assigning workers to correct shifts after template update Honeywell MES question , configuration , xml , labor-mgmt , role-mapping , hm-2023-2 , shift-template-config , schedule-errors , shift-assignment	5	0	March 11, 2025
Resource allocation workflow not updating after operator shift changes Honeywell MES question , resource-mgmt , workflow-process , resource-allocation , workflow-trigger , shift-management , hm-2023-2 , operator-status , missed-targets	5	0	May 14, 2025
Material transfer fails with 403 Forbidden error using REST API integration in material management (23c) Oracle Fusion Cloud question , cloud-deploy , rest-api , material-mgmt , ofc-23c , json , oauth2 , rbac , 403-forbidden	6	0	November 23, 2025
Resource management API update fails with 'resource locked' error during scheduler operations Siemens Opcenter Execution question , resource-mgmt , api-development , scheduler , rest-api , java , locked-resource , resource-allocation , soc-4-2	6	0	January 14, 2025
Production scheduling API returns job conflict error when creating overlapping shifts AVEVA MES question , api-development , rest-api , resource-allocation , production-scheduling , shift-planning , am-2023-1 , job-conflict , scheduling-algorithm	4	0	August 29, 2025
Work order update via Maintenance API fails with 403 Forbidden error Infor CloudSuite question , maint-mgmt , api-development , rest-api , authorization , permissions , ics-2021 , role-mapping , infor-os-security	5	1	November 29, 2025
Service request update via API fails with 403 'Permission Denied' error Oracle Agile PLM question , api-development , rest-api , permissions , service-mgmt , rbac , automation-blocked , 403-error , agil-9-3-5	5	0	May 14, 2025

Resource management API returns 403 forbidden error when assigning operators to machines

Related topics