I’m getting permission denied errors when trying to update portfolio items via REST API in Aras 13.0, despite being authenticated with admin credentials. The same updates work perfectly through the UI with the same user account.
The API vs UI permissions seem to behave differently. I can successfully GET portfolio data via API, but PUT/PATCH operations fail with 403 Forbidden. Here’s my update attempt:
PATCH /server/odata/Portfolio('P-001')
{
"status": "Active",
"priority": "High"
}
My role has full permissions on Portfolio ItemType. Could there be workflow locks or different role and identity mapping between API and UI contexts?
Another aspect: the owned_by_id field. If the portfolio item is owned by a different identity, you might not have permission to update it even with admin role. Aras enforces ownership-based security. Try querying the owned_by_id of the failing items and compare with your authenticated identity. You may need to either change ownership or add your identity to the item’s access control list.
The 403 on PUT/PATCH but not GET suggests read vs write permission separation. In Aras, permissions are method-specific. Your role might have get permission but not update permission on Portfolio. Check the Permission ItemType for your role and verify it includes the update method. Also look at the can_update property on the Access Control entries.
I checked the permissions and my role has get, add, update, and delete methods enabled for Portfolio. The X-Aras-Identity header is interesting - I haven’t tried that. How do I know which identity ID to use? Is there a way to query the current effective identity from the API?