Creating a group via the API

Hi,

I am trying to use a service user on my backend to generate new groups when a user signs up and decides to input information about their company. I am doing so as I am then using the name of this group to restrict access to data via a restricted view.

One issue I am having is that the create group endpoint doesn’t seem to work for my user.

My auth client is:

const auth = createConfidentialOauthClient(clientId, clientSecret, url, ['api:ontologies-read', 'api:ontologies-write', 'api:admin-read', 'api:admin-write']);
const client = createClient(url, ontologyRid, auth);

Then my request is:

const companyId = `company-${Math.random().toString(36)}`;
const serviceUserToken = auth.getTokenOrUndefined();

const groupResponse = await fetch(`https://${HOSTNAME}/api/v2/admin/groups`, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json',
                'Authorization': `Bearer ${serviceUserToken}`,
            },
            body: JSON.stringify({
                name: companyId,
                organizations: ['[org_id]'],
                description: `Auto-generated group for company ${companyId}`
            })
        });

Note that simply getting the list of groups does work.

On the organization settings page for the organization I want to add the group to, I have the following and have added the service user. I am not sure where to proceed in debugging from here!

Just following up on this, I’m also having trouble listing group members despite my service user being the group manager for the organization. However, if I use my super-admin’s token then I am able to list out the users.

Hi @jackmiller2003 can you please clarify what you mean by “doesn’t seem to work”? Are you getting an error code or error message?

In your request where you have [org_id] make sure you are using the RID (Ex. ri.multipass..organization.7d9b85f6-32dc-42ee-a92b-d0ee50be297f) instead of the marking ID (Ex. b572ab52-450e-48d5-ac86-80a8cb16c179)

Separately, I would recommend using our Platform SDK instead of writing your own API code!

The error I get is:

Error creating company group: PalantirApiError: Failed to fetch 403 Forbidden
at Object.fetch (file:///Users/danny/src/[redacted]/backend/node_modules/@osdk/shared.client.[redacted]/build/esm/createSharedClientContext.js:36:61)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async apiFetch (file:///Users/danny/src/[redacted]/backend/node_modules/@osdk/foundry.admin/node_modules/@osdk/shared.net.platformapi/build/esm/foundryPlatformFetch.js:53:20)
at async foundryPlatformFetch (file:///Users/danny/src/[redacted]/backend/node_modules/@osdk/foundry.admin/node_modules/@osdk/shared.net.platformapi/build/esm/foundryPlatformFetch.js:25:10) {
errorName: ‘CreateGroupPermissionDenied’,
errorCode: ‘PERMISSION_DENIED’,
statusCode: 403,
errorInstanceId: ‘[redacted]’,
parameters: {},
cause: PalantirApiError: Failed to fetch 403 Forbidden
at file:///Users/danny/src/[redacted]/backend/node_modules/@osdk/shared.net.fetch/build/esm/createFetchOrThrow.js:43:13
at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
errorName: ‘CreateGroupPermissionDenied’,
errorCode: ‘PERMISSION_DENIED’,
statusCode: 403,
errorInstanceId: ‘[redacted]’,
parameters: {}
}
}

Even though I have given this service user all of the permissions I can possibly think of.

Are you using a Third Party App with Client credentials flow?

This is a developer app with a client secret.

There could be some custom config required since the TPA users are guest users in the organization. I can’t recall the details but maybe someone from the Multipass team can chime in.

Are you able to share the errorInstanceId from the above error trace (or a new one)? You’ve redacted it in your previous message, but it lets us map to the specific permissions error that is thrown server-side.