Rest API - Update user - ERSException - Operation is not permitted

CyberNerd — Thu, 23 Mar 2023 13:36:22 GMT

Hello All,

I am working on a custom password changer for Cisco ISE identities.

Following the documentation we enabled ERS and created an ERS admin account.

When attempting to send a PUT request, the server responds with an internal error, debug hints at issues with the operation, has anyone stumbled upon such a peculiar issue? The documentation isn't too conclusive.

API Call:
Invoke-RestMethod "https://<server location>/ers/config/internaluser/<user id>" -Headers $headers -Method PUT -Body $json

Body request (powershell):
$json = @"
{
"InternalUser" : {
"name" : "XXX",
"identityGroups": "XXX",
"description" : "description",
"enabled" : true,
"email" : "email@domain.com",
"firstName" : "firstName",
"lastName" : "lastName",
"changePassword" : false,
"passwordIDStore" : "Internal Users"
}
}
"@

Debug logs:
023-03-23 13:09:04,587 DEBUG [ers-http-pool8][] ers.app.impl.converters.InternalUserConverter -::::- User PasswordIDStore - Internal Users isInternalPasswordIDStore - true
2023-03-23 13:09:04,591 INFO [ers-http-pool8][] cisco.cpm.nsf.impl.NSFUser -::::- Setting password ID store to cached internal ID <password storage ID>
2023-03-23 13:09:04,598 INFO [ers-http-pool8][] api.services.server.role.RoleImpl -::::- Fetched Role Information based on RoleID: <identity group ID>
2023-03-23 13:09:04,598 DEBUG [ers-http-pool8][] ers.app.impl.converters.InternalUserConverter -::::- Single Identity Group Details - ID - <identity group ID>
2023-03-23 13:09:04,598 DEBUG [ers-http-pool8][] ers.app.impl.converters.InternalUserConverter -::::- Single Identity Group Details - Name - <name>
2023-03-23 13:09:04,610 DEBUG [ers-http-pool8][] ers.app.impl.handlers.InternalUserCRUDHandler -::::- Old Identity Groups - [<identity group ID>]
2023-03-23 13:09:04,610 DEBUG [ers-http-pool8][] ers.app.impl.handlers.InternalUserCRUDHandler -::::- New Identity Groups - [<identity group ID>]
2023-03-23 13:09:04,619 INFO [ers-http-pool8][] cisco.ise.ups.internaluser.InternalUserServiceImpl -::::- going to save XXX
2023-03-23 13:09:04,619 INFO [ers-http-pool8][] cisco.ise.ups.internaluser.InternalUserServiceImpl -::::- done validation for user XXX
2023-03-23 13:09:04,620 INFO [ers-http-pool8][] cisco.ise.ups.internaluser.InternalUserServiceImpl -::::- retrieved RBAC groups for user XXX. number of groups: 1
2023-03-23 13:09:04,630 ERROR [ers-http-pool8][] ers.app.impl.handlers.InternalUserCRUDHandler -::::- InternalUser Update failed - Exception -
com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Operation is not permitted.
2023-03-23 13:09:04,630 DEBUG [ers-http-pool8][] cpm.ers.api.exception.ERSException -::::- Operation is not permitted.
2023-03-23 13:09:04,630 DEBUG [ers-http-pool8][] cisco.cpm.ers.fw.ERSServiceHelper -::::- The 'com.cisco.cpm.ers.api.exception.ERSCRUDHandlerException' occurred. Operation is not permitted.
2023-03-23 13:09:04,630 DEBUG [ers-http-pool8][] cisco.cpm.ers.fw.ERSServiceHelper -::::- assigning default content-type: application/json;charset=utf-8
2023-03-23 13:09:04,631 DEBUG [ers-http-pool8][] cpm.ers.app.web.MaxThreadsLimiterFilter -::::- ## RateLimitFilter Servlet => Continue with the ERS Response, The current bucket count is: 49

To me it looks like insufficient privileges, however I am unsure why? Is the account lacking privileges? Unlikely as it was set-up according to documentation.
Are internal user accounts not set-up in the right way? Seem more likely to me, as the account used for testing has admin privs, however I would appreciate some confirmation.

Happy to provide more logs if necessary.

Re: Rest API - Update user - ERSException - Operation is not permitted

CyberNerd — Fri, 24 Mar 2023 09:53:41 GMT

This seems to be an issue with the existing accounts, where they are admin accounts rather than ISE identities, further testing will be performed to validate, the same will be updated within this thread.

Re: Rest API - Update user - ERSException - Operation is not permitted

Charlie Moreton — Fri, 24 Mar 2023 12:09:07 GMT

That is correct. Admin password change is not allowed via API.

Re: Rest API - Update user - ERSException - Operation is not permitted

EssMan — Wed, 05 Mar 2025 20:19:48 GMT

Hi @Charlie Moreton , I've tested this in our dev environment and was able to change passwords for internalusers. However, I'm having issues in production with some accounts. All accounts are in the internalusers database.

From what I undesrtand, the change admin accounts, you need to use CLI but, for internal identities, the API should work (and it does in dev).

Can you elaborate on what you mean by "admin password change is not allowed via API" ?

as stated I'm able to successfully change the password for most accounts using this body:

{

"InternalUser": {

"name" : "<username>",

"password" : "<somepassword>",

"changePassword" : false

}

}

Much appreciated.

Essman

topic Rest API - Update user - ERSException - Operation is not permitted in Network Access Control

Rest API - Update user - ERSException - Operation is not permitted

Re: Rest API - Update user - ERSException - Operation is not permitted

Re: Rest API - Update user - ERSException - Operation is not permitted

Re: Rest API - Update user - ERSException - Operation is not permitted