Work order update via Maintenance API fails with 403 Forbidden error

jim_func · November 1, 2025, 3:40pm

Our maintenance automation is completely blocked because the Maintenance API returns 403 Forbidden when we try to update work order status. We can successfully retrieve work orders via GET requests, but any PUT or PATCH operation fails with authorization errors.

The error response:

{
  "status": 403,
  "message": "Forbidden: Insufficient permissions"
}

We’ve verified that our API user has the Maintenance Manager role in CloudSuite, but something in the security policy configuration or API role mapping isn’t translating those permissions to the API endpoints. The endpoint permissions seem to require something beyond the standard CloudSuite roles. How do we properly configure API role mapping for maintenance operations?

fernando_689 · November 1, 2025, 5:47pm

403 errors with API access usually mean the user has CloudSuite permissions but not API-specific permissions. Check if your API user is assigned to an API security role in Infor OS Portal, not just CloudSuite roles.

jim_func · December 3, 2025, 11:43pm

Here’s the complete solution addressing all three security configuration areas:

API Role Mapping: First, you need to create and assign proper API roles in Infor OS Portal:

Navigate to Security > API Roles > Create New Role
Create a role named “Maintenance_API_Full_Access”
Add these permission groups:
- `maintenance.workorder.read
- `maintenance.workorder.write
- `maintenance.workorder.update
- maintenance.asset.read (required for work order context)
Assign this API role to your service account:
- Go to Security > Service Accounts > [Your API User]
- Add Role: “Maintenance_API_Full_Access”
- Save and sync permissions (can take 5-10 minutes)

The key issue is that CloudSuite application roles (like Maintenance Manager) don’t automatically grant API permissions. You must explicitly assign API-specific roles.

Security Policy Configuration: Next, configure the security policy for maintenance endpoints:

Go to API Management > Security Policies
Find or create policy: “Maintenance API Policy”
Configure allowed operations:

<security-policy name="maintenance-api-policy">
  <resource path="/maintenance/workorders/*">
    <method name="GET" role="maintenance.workorder.read"/>
    <method name="PUT" role="maintenance.workorder.update"/>
    <method name="PATCH" role="maintenance.workorder.update"/>
  </resource>
</security-policy>

Apply this policy to the Maintenance API service

Endpoint Permissions: Finally, configure specific endpoint permissions:

Navigate to API Management > Endpoints > Maintenance API
Find the work order update endpoint: `/api/v1/maintenance/workorders/{id}
Edit endpoint security settings:
- Authentication: Required (OAuth2 Bearer Token)
- Authorization: API Role Based
- Required Roles: `maintenance.workorder.update
- Allowed Methods: GET, PUT, PATCH
Configure field-level permissions for work order updates:
- Status updates: Requires `maintenance.workorder.update
- Assignment changes: Requires `maintenance.workorder.assign
- Cost updates: Requires `maintenance.workorder.cost.update If you’re updating specific fields like costs or assignments, you may need additional granular permissions.

Testing the Configuration: After applying these changes:

Wait 10 minutes for permission sync
Obtain a new OAuth2 token (old tokens won’t reflect new permissions)
Test with a simple status update:

PUT /api/v1/maintenance/workorders/WO12345
{
  "status": "IN_PROGRESS"
}

Common Issues:

403 persists after role assignment: Clear API Gateway cache and obtain new token
Works for some work orders but not others: Check asset-level security permissions
Can update status but not other fields: Add field-specific permissions to API role
Intermittent 403 errors: Token expiration - implement proper token refresh logic

Additional Considerations for ICS 2021:

The API role system in ICS 2021 requires explicit endpoint mapping - there are no wildcard permissions
If you need to update work orders across multiple sites, add maintenance.site.access permission
For automated workflows, consider creating a dedicated service account rather than using a personal user account

This complete configuration ensures your API user has proper permissions at all three levels: API role, security policy, and endpoint access. The automation should now successfully update work orders without 403 errors.

ryan_thinker · November 20, 2025, 2:17am

Check the security policy configuration for the Maintenance API in Infor OS Portal. Navigate to API Management > Security Policies and verify that the work order update endpoints are included in your API role’s allowed operations. In ICS 2021, there’s often a disconnect between application permissions and API endpoint permissions that requires explicit mapping.

joseph_dev · November 6, 2025, 9:42am

I’ve seen this before with maintenance APIs. The issue is that CloudSuite application roles don’t automatically map to API permissions. You need to create an API role in Infor OS that explicitly grants access to the maintenance endpoints, then assign that API role to your service account. The Maintenance Manager role in CloudSuite gives UI access but doesn’t grant API access by default.

jim_func · November 29, 2025, 11:21pm

Don’t forget about the security context inheritance. Even with correct API roles, the work order update operation might require additional CloudSuite permissions like asset access or location permissions depending on what fields you’re updating. The 403 could be triggered by field-level security, not just endpoint-level.

Topic		Replies	Views
Project management API task update returns 403 Forbidden despite valid permissions Infor CloudSuite question , proj-mgmt , api-development , oauth , rest-api , authentication , permissions , ics-2023-1 , http-403	6	1	December 2, 2025
Invoice status update via billing API returns 403 Forbidden despite correct user permissions Workday question , api-development , automation , rest-api , permissions , billing-mgmt , wd-r2-2023 , http-403 , security-groups	6	0	May 29, 2025
Asset update API returns 403 Forbidden when called with service account credentials Oracle Fusion Cloud question , api-development , security , rest-api , authentication , asset-mgmt , ofc-23b , service-account , 403-error	7	0	June 20, 2025
Work order API returns 403 forbidden error when creating multi-step orders with custom fields and role-based access enabled Workday question , api-development , rest-api , authentication , work-order-mgmt , wd-r1-2023 , custom-fields , 403-forbidden , workflow-config	7	0	April 7, 2025
Maintenance API asset status update stuck in 'In Progress' after PATCH request Workday question , maint-mgmt , api-development , rest-api , wd-r1-2023 , json , workflow-automation , asset-status , patch-request	4	0	August 6, 2025
Equipment status update via asset lifecycle API fails with permission denied error after role changes in security model Microsoft Dynamics 365 question , api-development , oauth , rest-api , permission-denied , asset-lifecy , security-roles , d365-10-0-40 , status-updates	7	0	May 23, 2025
Asset lifecycle REST API asset status update fails with 403 Forbidden after security role changes Infor CloudSuite question , integration , rest-api , asset-lifecycle , json , validation-error , ics-2023-1 , asset-transfer , external-system	5	0	September 22, 2025
Service request update via API fails with 403 'Permission Denied' error Oracle Agile PLM question , api-development , rest-api , permissions , service-mgmt , rbac , automation-blocked , 403-error , agil-9-3-5	5	0	May 14, 2025
Maintenance work order integration fails when triggered by external MES system using REST API in multi-pod setup Oracle Fusion Cloud question , maint-mgmt , integration , multi-org , rest-api , work-order , ofc-22d , json , 400-error	4	0	November 17, 2025

Work order update via Maintenance API fails with 403 Forbidden error

Related topics