API

Check access requests

There might be a lot of API operations available for an object/resource, but not all of them is applicable for every object. It is not possible to register a sales order that does not have any items, or a sales order that is already registered. Some API operations are not available because of the modules/submodules activated by the customer, while other API operations are restricted to a permission which a duty/role does not have.

Check access requests makes it possible to find out which API operations that are not available for the current user, and also why it is not available.

In the RamBase client we are using check access requests to hide context menu items which are not available. In the menu item called "Unavailable menu items" you can find API operations that cannot be requested, including an explanation of why.

The request URI is always the same:

POST https://api.rambase.net/check-access

Example of request body:

In this example we are checking the API operations "Register sales order" (100055), "Cancel sales order" (100041) and "Copy sales order to new sales quote" (100437) for sales order 100087: 

{
    "checkAccess": [
        {
            "objectType": "APIOperation",
            "objectId": 100055,
            "data": "sales/orders/100087"
        },
        {
            "objectType": "APIOperation",
            "objectId": 100041,
            "data": "sales/orders/100087"
        },
        {
            "objectType": "APIOperation",
            "objectId": 100437,
            "data": "COA/100087"
        }
    ]
}

You might have noticed that the data element is provided with two different syntaxes. One is the resource uri of the object where the operation can be found (sales/orders/100087), the other is the object in the RamBase key format (COA/100087). Both are referring to the same object and is equally valid.

As you can see in the example response below, nothing is returned for "Copy sales order to new sales quote" (100437). This indicates that you can request that specific operation for sales order 100087. The other two API operations is not allowed, and the explanation can be found in the translated error message. 

{
    "checkAccessResults": [
        {
            "translatedErrorMessage": "The sales order is already registered",
            "object": {
                "objectId": 100055,
                "objectType": "ApiOperation",
                "objectLink": "https://api.rambase.net/system/api/api-operations/100055"
            },
            "missingPermission": {
                "permissionId": null,
                "name": null,
                "permissionLink": null
            }
        },
        {
            "translatedErrorMessage": "Only active sales orders can be cancelled",
            "object": {
                "objectId": 100041,
                "objectType": "ApiOperation",
                "objectLink": "https://api.rambase.net/system/api/api-operations/100041"
            },
            "missingPermission": {
                "permissionId": null,
                "name": null,
                "permissionLink": null
            }
        }
    ]
}