Test case export fails with permission denied error despite admin role

datadev · August 11, 2025, 12:09pm

We’re encountering a persistent permission denied error when attempting to export test cases through the REST API, even though our service account has admin privileges. The export utility fails immediately with a 403 error.

Our setup involves SSO authentication through Okta with LDAP group synchronization. The service account is mapped to the “QA_Admin” LDAP group which should have full test case export permissions. However, the API call returns:


HTTP 403 Forbidden
Error: Permission denied for test case export
User: svc_qa_export lacks required privilege: EXPORT_TEST_CASES

We’ve verified the account appears in the admin console with proper roles assigned. This is blocking our automated reporting pipeline that exports test execution results for stakeholder dashboards. Has anyone experienced issues with granular RBAC permissions not syncing correctly for SSO-authenticated service accounts?

thinker_dev · August 18, 2025, 8:45am

We encountered this exact scenario last quarter. The root cause was that our LDAP group synchronization was updating user roles correctly, but the export permission matrix wasn’t being refreshed for service accounts. Service accounts need their permissions explicitly set in the security configuration, separate from LDAP-derived roles. Even though they inherit group memberships, certain API-level operations require direct permission assignment.

laura_mfal · August 16, 2025, 11:20am

That’s a key clue - if UI works but API doesn’t, you likely have a token scope mismatch. The web UI uses session-based auth while REST API requires bearer tokens with explicit scopes. Check your OAuth client configuration in Okta. The client used for API calls needs the “alm.test.export” scope explicitly granted. Also verify the token lifetime isn’t causing mid-export failures for large datasets.

anacoder · August 19, 2025, 1:58pm

The solution requires addressing multiple layers of the permission stack:

1. LDAP Group Synchronization Configuration Verify your LDAP sync is configured to propagate not just role membership but also granular permissions. In Site Administration → Authentication → LDAP Settings, ensure “Sync Granular Permissions” is enabled. Service accounts often need manual permission refresh after group changes.

2. Granular RBAC Configuration Navigate to Site Administration → Security → Role Permissions. For your QA_Admin role, explicitly enable:

TEST_CASE_READ
TEST_CASE_EXPORT
API_ACCESS

Then go to Project Administration → Project Users and verify the service account shows these permissions at the project level, not just inherited from global roles.

3. Test Case Export Permission Scoping The export operation requires specific entity-level permissions. Run this query in the database to verify:

SELECT user_name, permission_name, project_id
FROM auth_permissions
WHERE user_name='svc_qa_export'

If EXPORT_TEST_CASES isn’t listed for your target projects, manually add it through the security matrix.

4. SSO Token Validation for Export Operations For REST API calls, your OAuth client configuration in Okta must include:

Custom scope: “alm.test.export”
Token claim: “export_permissions” with value “test_cases”

In ALM, update the SSO configuration (Site Administration → Authentication → SSO Settings) to map this claim to the internal EXPORT_TEST_CASES privilege.

5. Force Permission Cache Refresh After making changes, clear the permission cache:

alm-admin refresh-permissions --user svc_qa_export
alm-admin validate-sso-claims --user svc_qa_export

The key issue is that service accounts with SSO authentication need both LDAP-derived roles AND explicit API permission grants. The permission denied error occurs because the REST API validator checks direct permissions first, before falling back to role-based permissions. This is a security design to prevent privilege escalation through group membership alone.

After implementing these changes, test with a simple export API call and verify the token includes the required claims in the authorization header.

guru_ops · August 14, 2025, 2:47pm

I’ve seen this before. The issue is often that LDAP group mappings sync user roles, but test case export permissions require explicit scoping at the project level. Check if your service account has the “Test Case Export” permission enabled specifically for the projects you’re trying to export from, not just the global admin role.

Topic		Replies	Views
Manufacturing plan export tool fails with 'permission denied' error when running scheduled jobs in production Manhattan Active Supply Chain question , tools-utilities , scheduler , batch-jobs , permission-denied , manufacturing-plan , export-utility , masc-2022 , file-access	4	2	April 2, 2025
Bulk export of controlled documents to PDF fails with permission errors after workflow update Qualio question , tools-utilities , document-control , bulk-operations , permission-denied , audit-blocked , role-config , qual-2022-2 , workflow-impact	5	0	April 11, 2025
Analytics report export to cloud storage fails with 'Access Denied' Oracle CX Cloud question , rest-api , analytics-reporting , ocx-23b , json , cloud-deploy-hosting , export-access , report-export-blocked , sso-claims	2	0	March 22, 2025
Audit reporting can't export test results to PDF - permission errors blocking regulatory deadline Azure DevOps question , compliance , test-mgmt , pdf-export , audit-reporting , ado-2024 , test-analytics , audit-permissions , analytics-read	4	0	November 28, 2025
Supply planning REST API returns 403 Forbidden when using service account with custom role Oracle Fusion Cloud SCM question , rest-api , ofc-23d , oauth2 , service-account , 403-forbidden , automation-blocked , security-authen , security-console	3	0	February 22, 2025
Service request update via API fails with 403 'Permission Denied' error Oracle Agile PLM question , api-development , rest-api , permissions , service-mgmt , rbac , automation-blocked , 403-error , agil-9-3-5	5	0	May 14, 2025
Demand Planning export utility fails with permission error when scheduled Infor SCM question , tools-utilities , demand-planning , permission-error , is-2022-2 , export-utility , windows-task-scheduler , automated-export , powershell	3	0	April 10, 2025
REST API bulk document upload fails with permission error in ETQ 2021 ETQ Reliance question , rest-api , authentication , document-control , etq-2021 , json , bulk-upload , api-permissions , role-configuration	5	0	September 1, 2025
Risk register export fails with 'Permission Denied' error for risk owners Veeva Vault QMS question , xml , security , access-control , risk-management , vvq-24r1 , role-permissions , export , compliance-auditing	6	0	August 21, 2025

Test case export fails with permission denied error despite admin role

Related topics