401 Unauthorized for service account

Version 1

    Subject: RE: New Message from Akanksha Agarwal in Cisco Unity Connection(CUC) - CUMI
    Replied by: Shivinder Singh on 10-10-2012 11:21:26 AM
    Akanksha, thanks for your reply. In order to create a user with voicemailusertemplate, I need to give it a phone extension for the voice mailbox. But this is just a service account. What would you suggest?
    This document was generated from CDN thread

    Created by: Shivinder Singh on 10-10-2012 10:37:52 AM
    I was initially using the administrator account to query CUMI to obtain voicemail records per user object id. Once I had it working, I wanted to create a service account and use that instead in my app. I created a user account from Unity Administration with adminstrator template, went to Roles page, removed System Aministrator and added Mailbox Access Delegate Account to the roles list. When I used this account in my app, I got 401 Unauthorized error. I went back and added Audit Administrator role because this was the only other role administrator account had, but still getting same error 401 unauthorized. Any ideas what's going on?

    Subject: RE: 401 Unauthorized for service account
    Replied by: Akanksha Agarwal on 10-10-2012 11:09:36 AM
    Shivinder,
     
    If you want to access a particular user's voucemail records then you just need his credentials. You need not modify his roles. You can access his voicemail records using the following APIs:
    For messages in Inbox: /vmrest/mailbox/folders/inbox/messages
    For messages in Deleted Items folder: /vmrest/mailbox/folders/deleted/messages
    For messages in Sent Items folder: /vmrest/mailbox/folders/sent/messages
    When you want to access a user's mailbox, then you do not need to create a user with administrativr template. You need to create one with voucemailusertemplate. And this is the reason why you are getting a not authorized error.
     
    I guess the API yu are using is /vmrest/messages and giving the userobjectid to fetch a user's mailbox details. Please use the above mentioned APIs to GET the messages.
     

    Subject: RE: New Message from Shivinder Singh in Cisco Unity Connection(CUC) - CUMI
    Replied by: Shivinder Singh on 10-10-2012 01:39:26 PM
    I created the new user using voicemailusertemplate and the app is working now, not getting 401 unauthorized message. BUT, only if I hard code some test object user id in the code.

    If I try to GET /vmrest/users using this new service account (which is not a system administrator role), I get 403 forbidden status code, with the following XML:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ErrorDetails><errors><code>NOT_AUTHORIZED</code><message>Not Authorized</message></errors></ErrorDetails>

    User with System Administrator role was able to do this, but I would rather this service account not have sysadmin role. What additional privilege can I try to query user object ids from /vmrest/users?

    Thanks!

    Subject: RE: New Message from Shivinder Singh in Cisco Unity Connection(CUC) - CUMI
    Replied by: Anil Singh on 10-10-2012 07:27:59 PM
    you can assign that user with "User Administrator" role and you will be able to get user objectid from /vmrest/users

    Subject: RE: New Message from Akanksha Agarwal in Cisco Unity Connection(CUC) - CUMI
    Replied by: Akanksha Agarwal on 11-10-2012 01:13:26 AM
    And Yes, Anil is right. If you give the voicemail user role of an administrator, then he will be able to GET /vmrest/users.

    From: Cisco Developer Community Forums [mailto:cdicuser@developer.cisco.com]
    Sent: Wednesday, October 10, 2012 9:40 PM
    To: cdicuser@developer.cisco.com
    Subject: New Message from Akanksha Agarwal in Cisco Unity Connection(CUC) - CUMI Questions: RE: 401 Unauthorized for service account

    Akanksha Agarwal has created a new message in the forum "CUMI Questions": -------------------------------------------------------------- Shivinder,

    If you want to access a particular user's voucemail records then you just need his credentials. You need not modify his roles. You can access his voicemail records using the following APIs:
    For messages in Inbox: /vmrest/mailbox/folders/inbox/messages
    For messages in Deleted Items folder: /vmrest/mailbox/folders/deleted/messages
    For messages in Sent Items folder: /vmrest/mailbox/folders/sent/messages
    When you want to access a user's mailbox, then you do not need to create a user with administrativr template. You need to create one with voucemailusertemplate. And this is the reason why you are getting a not authorized error.

    I guess the API yu are using is /vmrest/messages and giving the userobjectid to fetch a user's mailbox details. Please use the above mentioned APIs to GET the messages.

    --
    To respond to this post, please click the following link: http://developer.cisco.com/web/cuc/forums/-/message_boards/view_message/7493855 or simply reply to this email.

    Subject: RE: New Message from Akanksha Agarwal in Cisco Unity Connection(CUC) - CUMI
    Replied by: Shivinder Singh on 11-10-2012 08:54:42 AM
    Anil/Akanksha, I’m having difficulty understanding the roles – specifically Mailbox Access Delegate - and their intended use/audience. From your response it seems I’m not making sense in the Cisco universe. I’ll try to explain little better:

    I’m developing some very basic reports for call records (called/received/unanswered/unreturned etc. etc.). I’m aware there are 3rd party software that do that but for sake of simplicity let’s assume they don’t exist.
    The reporting app will use a service account to get the job done. And will need certain permissions/roles.

    Please help me out here understand the roles here:


    1.       /vmrest/mailbox (CUMI) can return voicemail records of *anyone*, if, ALL THREE of the following are true:

    a)      Service account is created using voicemailusertemplate template

    b)      Mailbox Access Delegate role is assigned to the service account

    c)       User Object Id is provided

    2.       /vmrest/users (CUNI) can return User Object Id of *anyone*, if, following is true:

    a)      System Administrator role is assigned to the service account

    So at the end of the day – the service account needs to have mailbox delegate role as well as sysdamin role. Why in the world would I want to give a little service account, whose job is to give me voicemail records (just an extension of CDR call log), the *All Powerful* System Administrator Role? The account does not need to LISTEN to voice messages (which I’d assume will require some God role). All it needs is called party, calling party and time received.

    Please understand I’m a programmer and need to convince my CUCM sysadmin to give my little service account this role, so I’d appreciate some insight as to why Cisco chose to design roles in this manner? I’m definitely missing some point ☺
    Thanks for your continued responses!