Currently, when permissions fail - the rest API returns 403: Not authorized. The current steps to correct this are:
1. Go to developer.blackboard.com.
2. Use the entitlement spreadsheet, and convert to role privileges.
3. Login as admin and adjust the role privileges to match.
4. Hope the role privileges are not cached (making a new role / using 3lo helps force this to use new set).
5. Do another API call and hope that you get passed the 403.
A bad workaround is to give your API user too many permissions, but this is often the hammer used to get around the above steps.
Here's the idea: The API should return information on the permission check that failed.
There are security concerns, sure, but these can be handled in a few ways. One could be to put this information into the System logs. One could be to only return this information if the user has another specific permission (Admin). I'm sure there are other ways to handle this - but the idea I'm proposing here is to be more descriptive about why Authorization failed, so that admins can reduce the number of permissions in an easier workflow.
Thank you for your consideration.
|Product Version (if applicable):||0|