I’m developing an automation script to extract supply planning data via REST API on Oracle Fusion Cloud SCM 23D. Using a service account with what I believe are the correct privileges, but consistently getting 403 Forbidden responses.
The API endpoint I’m calling:
GET /fscmRestApi/resources/11.13.18.05/supplyRequests
Authorization: Bearer {token}
Response: 403 Forbidden - insufficient privileges
The service account has been granted:
- Supply Chain Planning Administrator role
- REST API access enabled in user profile
- OAuth client credentials configured in IDCS
When I test the same endpoint with my personal user credentials (I have the same role), it works perfectly. This suggests the issue is specific to service account authentication or custom role privilege mapping for API access.
I’ve verified the OAuth token is valid and not expired. The REST API privilege requirements seem different for service accounts versus regular users. Has anyone successfully configured service account authentication for supply planning REST APIs? What specific privileges or role mappings am I missing?
We had this problem and discovered that even with correct roles, service accounts need the ‘Allow API Access’ flag enabled at the user level in Fusion. Go to Setup and Maintenance > Manage Users, find your service account, and check if ‘REST API Access’ is enabled in the user profile. This is separate from role assignments and often gets overlooked during service account setup.
Service accounts in Fusion require explicit REST API privileges that aren’t automatically inherited from functional roles. Check if your service account has the specific REST API privilege set assigned. Go to Security Console > Users > Your Service Account > Roles and verify if ‘Supply Planning REST Service Consumer’ role is present.
The 403 Forbidden error you’re experiencing is due to incomplete privilege mapping for service account REST API access. Here’s the comprehensive solution:
1. Custom Role Privilege Mapping:
Service accounts require explicit REST API privileges that aren’t included in standard functional roles. Create a custom role with these privileges:
- Navigate to Security Console > Roles
- Create new role: “Supply Planning API Access”
- Add function security policies:
- View Supply Plans (ORA_SCM_SUPPLY_PLAN_VIEW)
- Manage Supply Requests (ORA_SCM_SUPPLY_REQUEST_MANAGE)
- Supply Planning REST Services (ORA_FND_REST_SERVICE_ACCESS)
2. REST API Privilege Requirements:
The critical missing piece is the REST service privilege. Add these to your service account:
Role: Integration Specialist (standard role)
Privilege: Supply Chain Planning REST APIs
Data Security: Supply Planning Business Unit access
In Security Console:
- Users > [Service Account] > Roles tab
- Add Role: “Integration Specialist”
- Add Role: “Supply Planning API Access” (custom role from step 1)
3. Service Account Authentication Configuration:
For OAuth client credentials flow, configure IDCS properly:
A) OAuth Client Setup in IDCS:
- IDCS Console > Applications > Add > Confidential Application
- Configure OAuth settings:
- Allowed Grant Types: Client Credentials
- Grant the client access to: Oracle Fusion Cloud SCM
- Scope: Supply Chain Planning APIs
B) Link Service Account to OAuth Client:
- In Fusion: Setup and Maintenance > Manage Users
- Find your service account
- Enable “REST API Access” checkbox
- Note the username (format: service_account_name)
C) Update OAuth token request:
POST {idcs_url}/oauth2/v1/token
Content-Type: application/x-www-form-urlencoded
client_id={your_client_id}
client_secret={your_secret}
grant_type=client_credentials
scope=urn:opc:resource:consumer::all
4. Data Security Configuration:
Even with correct roles, service accounts need data security policies:
- Security Console > Data Security Policies
- Create policy for service account
- Grant access to relevant Supply Planning Business Units
- Assign Supply Request object security
Verification Steps:
- Test OAuth token generation and decode JWT to verify scopes
- Check Security Console > User Access Analysis for the service account
- Review audit logs for specific privilege denials
- Test API with verbose error logging enabled
Common Pitfall:
The standard “Supply Chain Planning Administrator” role includes functional privileges but NOT the REST API consumption privileges. This is why your personal account works (it likely has additional roles from interactive usage) while the service account fails.
After implementing these changes, your service account should successfully authenticate and access supply planning REST APIs. The key is ensuring all three layers align: OAuth client configuration, Fusion role privileges, and data security policies.