Hello All,
I am working on a custom password changer for Cisco ISE identities.
Following the documentation we enabled ERS and created an ERS admin account.
When attempting to send a PUT request, the server responds with an internal error, debug hints at issues with the operation, has anyone stumbled upon such a peculiar issue? The documentation isn't too conclusive.
API Call:
Invoke-RestMethod "https://<server location>/ers/config/internaluser/<user id>" -Headers $headers -Method PUT -Body $json
Body request (powershell):
$json = @"
{
"InternalUser" : {
"name" : "XXX",
"identityGroups": "XXX",
"description" : "description",
"enabled" : true,
"email" : "email@domain.com",
"firstName" : "firstName",
"lastName" : "lastName",
"changePassword" : false,
"passwordIDStore" : "Internal Users"
}
}
"@
Debug logs:
023-03-23 13:09:04,587 DEBUG [ers-http-pool8][] ers.app.impl.converters.InternalUserConverter -::::- User PasswordIDStore - Internal Users isInternalPasswordIDStore - true
2023-03-23 13:09:04,591 INFO [ers-http-pool8][] cisco.cpm.nsf.impl.NSFUser -::::- Setting password ID store to cached internal ID <password storage ID>
2023-03-23 13:09:04,598 INFO [ers-http-pool8][] api.services.server.role.RoleImpl -::::- Fetched Role Information based on RoleID: <identity group ID>
2023-03-23 13:09:04,598 DEBUG [ers-http-pool8][] ers.app.impl.converters.InternalUserConverter -::::- Single Identity Group Details - ID - <identity group ID>
2023-03-23 13:09:04,598 DEBUG [ers-http-pool8][] ers.app.impl.converters.InternalUserConverter -::::- Single Identity Group Details - Name - <name>
2023-03-23 13:09:04,610 DEBUG [ers-http-pool8][] ers.app.impl.handlers.InternalUserCRUDHandler -::::- Old Identity Groups - [<identity group ID>]
2023-03-23 13:09:04,610 DEBUG [ers-http-pool8][] ers.app.impl.handlers.InternalUserCRUDHandler -::::- New Identity Groups - [<identity group ID>]
2023-03-23 13:09:04,619 INFO [ers-http-pool8][] cisco.ise.ups.internaluser.InternalUserServiceImpl -::::- going to save XXX
2023-03-23 13:09:04,619 INFO [ers-http-pool8][] cisco.ise.ups.internaluser.InternalUserServiceImpl -::::- done validation for user XXX
2023-03-23 13:09:04,620 INFO [ers-http-pool8][] cisco.ise.ups.internaluser.InternalUserServiceImpl -::::- retrieved RBAC groups for user XXX. number of groups: 1
2023-03-23 13:09:04,630 ERROR [ers-http-pool8][] ers.app.impl.handlers.InternalUserCRUDHandler -::::- InternalUser Update failed - Exception -
com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Operation is not permitted.
2023-03-23 13:09:04,630 DEBUG [ers-http-pool8][] cpm.ers.api.exception.ERSException -::::- Operation is not permitted.
2023-03-23 13:09:04,630 DEBUG [ers-http-pool8][] cisco.cpm.ers.fw.ERSServiceHelper -::::- The 'com.cisco.cpm.ers.api.exception.ERSCRUDHandlerException' occurred. Operation is not permitted.
2023-03-23 13:09:04,630 DEBUG [ers-http-pool8][] cisco.cpm.ers.fw.ERSServiceHelper -::::- assigning default content-type: application/json;charset=utf-8
2023-03-23 13:09:04,631 DEBUG [ers-http-pool8][] cpm.ers.app.web.MaxThreadsLimiterFilter -::::- ## RateLimitFilter Servlet => Continue with the ERS Response, The current bucket count is: 49
To me it looks like insufficient privileges, however I am unsure why? Is the account lacking privileges? Unlikely as it was set-up according to documentation.
Are internal user accounts not set-up in the right way? Seem more likely to me, as the account used for testing has admin privs, however I would appreciate some confirmation.
Happy to provide more logs if necessary.
