Action invoke Rest-Service (GET Attachment) in Timer of system-step => Insufficient attachment permissions

0

Hi Ernst,

If I recall correctly, I encountered the same issue, but I can’t seem to recall where and how I resolved it. Perhaps something will come to mind if I review the configuration of the “Invoice Rest Service” action screens. Could you share them with me? Additionally, I’d appreciate it if you could share how you select the ATT_ID.

Thanks,
Martin

The "ID" which is sent via header is currently a Test-ID (Domino Document Unique ID - which is needed for the rest-api)

It works fine, if I run it via Menu, but via Timer or Path-Action I always get the error.

Ernst

We investigated this further and can now narrow the problem down much more precisely.

Environment:

WEBCON BPS
Automation executed by:
Timer action on system step
also reproducible via path action
Action type:
Invoke REST Web service

Current findings:

The same Invoke REST action works correctly when executed manually from a menu action.
Timer actions CAN create attachments in general.
Example:
"Convert Word to PDF" works correctly via timer
generated PDF is attached successfully
Standard REST calls via timer also work correctly.
Example:
GET/POST returning JSON/text works fine
The problem only occurs when:
Response body type = Binary
and the response is stored as attachment
The problem is reproducible independently from Dracoon/S3.
We created a very simple Domino/XPages test endpoint which:
authenticates via Basic Auth
streams a PDF attachment directly to the HTTP response
no OAuth
no redirects
no external cloud provider involved
Result:
manual execution => works
timer/path execution => fails

Error:
Invoke REST Web service - Request Url: https://app1.hypo.web/volt/resttools.nsf/download.xsp
Exceptions: Insufficient attachment permissions

Important:
This does NOT appear to be a general attachment permission issue, because timer actions can successfully generate and attach PDFs.

It currently looks more like a problem specifically in the HTTP binary download -> attachment persistence path when executed in automation/timer context.

Can you confirm whether:

binary response handling behaves differently in timer context
there are known limitations with streamed/chunked HTTP responses
or whether this is a known issue in Invoke REST Web service?

Thanks,
Ernst

Hi Ernst,

I had the same issue. What I ended up with was saving the ATT_ID into a technical fields and then passing this fields to the binary part value (see attached image). Hope that helps.

Cheers,
Martin

Hi Martin,

I have the problem on ANY attachment download (not upload) via Timer, no variant is working right now....

Kind regards
Ernst

Ahhh, sorry. I misread your issue.

Okay, I've now solved the problem. Here's the explanation in case anyone else encounters the same issue:

There's a filter for <Users and Groups> (DataSources). This filter is applied to a WHERE clause for the view "V_CachedOrganisationStructure" when saving.
The underlying table is CacheOrganisationStructure (which contains all users and groups).

If the service user (in our case, "Serviceuser Webcon") is not included in the view, it cannot be added to an app permission.

I have now added this service user to the filter and subsequently granted them permission in the app.

From this point on, all REST downloads in this app work as expected.