My Products
Help
guidol
CHAMPION *

Can't assign App Store “Integration Administrator" role

by guidol

We are trying to implement the Visma Connect log in for our applications.

 

Using the documentation on https://community.visma.com/t5/Forum-in-Developers-Visma-net/Visma-net-ERP-API-Developer-Portal-Star... we have come quite far, but now we are facing a similar problem as described here: https://community.visma.com/t5/Forum-in-Developers-Visma-net/Access-denied-during-authorisation-thro... specifically:

 

> You do not have access to the selected company or to any companies for this application

You are signed in as ("company", "account")

 

According to the post mentioned above, the “Integration Administrator" role must be granted to the user trying to log on. However, it is not possible to select that option on any of the companies available giving there are no licenses in use:

 

guidol_0-1702301736396.png

 

Checking with our Visma Partner manager it seems there is an active license and from their point of view everything should be okay.

 

What is the reason this option is not available? How to check if we have the appropriate license to perform this action? Any other thoughts?

14 REPLIES 14
guidol
CHAMPION *

by guidol

Yes, all users in our ISV account have the Customer Administrator role. Still, none of the users can assign Integration Administrator.

by Magnus Johnsen

Hi,

The role needed to log in to an interactive integration is the "API User" role, the "Integration Administrator" is only needed for the users that should have access to log on to the App store and accept tenant based applications.

Could you please check if this has been applied to one of the users logging in:

2023-12-12 13_24_11-Admin _ Visma.net _ User - Brave.png

 

guidol
CHAMPION *

by guidol (Updated ‎12-12-2023 14:16 by guidol )

The same problem is shown there: "0 of 0 licenses in use". There is no way to select any of the roles there:

 

guidol_0-1702386383590.png

 

guidol
CHAMPION *

by guidol (Updated ‎13-12-2023 13:32 by guidol )

We worked with our partner manager to get some things checked since this is getting critical for us now. It seemed that there was a new license made for us, but it seems it was separated from our profile. This leaded to all kind of weird problems. This has been resolved now by support by moving all users to the new license.

 

Currently we get one step further in the log on process: we can choose what company to connect, but selecting either of the two companies leads to another error:

 

guidol_0-1702470695654.png

 

Can you check the actual problem?

Yıldırım
VISMA

by Yıldırım

For the error IDs you receive, you can use OAuth Debugger available in the developer portal.

Test and debug your OAuth requests by pasting in the Error-ID you may get during your implementation towards the /connect/authorize endpoint. From the My Applications page, you have access to the Debugger.
appList.png

 

guidol
CHAMPION *

by guidol

I see. Thanks! That button deserves a little more emphasis and possibly a mention in the error dialog for development users.

 

After making some changes and retrieving an access token I get the next error:

 

Message - Unhandled exception: Failed to update tenant consent for user b0be87dc-xxxx, client xxxx and tenant 0feb108a-xxxx, errorId: a2c7cd20-xxxx
Response - HttpResponseInfo { StatusCode: InternalServerError, ErrorCode: null }
SourceContext - VismaConnect.Web.IdentityProvider.Middlewares.ExceptionHandlerMiddleware
RequestId - 0HMVR44A0F0S5:00000002
RequestPath - /connect/authorize/callback
ConnectionId - 0HMVR44A0F0S5
Request_Ipv4Address - xxxx
Request_UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Request_Method - GET
Request_Path - /connect/authorize/callback
Request_Host - connect.visma.com
Request_ClientId - xxxx
CorrelationId - 3e98b89f-xxxx
UserId - b0be87dc-xxxx
SessionId - af9151a4-xxxx
IdentityProvider - Visma Connect
TenantId - null
Timestamp - 12/13/2023 14:12:05 +00:00
Level - Error
ExceptionSource - VismaConnect.Dal.ConnectDb
ExceptionType - VismaConnect.Dal.ConnectDb.Connector.ConnectDbException
ExceptionMessage - Failed to update tenant consent for user b0be87dc-xxxx, client xxxx and tenant 0feb108a-xxxx
StackTrace - at VismaConnect.Dal.ConnectDb.Services.UserTenantConsentDbService.UpdateAsync(Guid userId, String clientIdentity, Guid tenantId, IEnumerable`1 scopes) in /tc-agent/work/d20c03d2a8e0d24e/src/VismaConnect.Dal.ConnectDb/Services/UserTenantConsentDbService.cs:line 81

 

Any clue?

by Magnus Johnsen

Hi,

There is an issue with the link that you posted yesterday, could you please compare your calls to these examples:

Authorize:

GET https://connect.visma.com/connect/authorize
?client_id=ClientID
&response_type=code
&scope=openid
&redirect_uri=http://localhost
&code_challenge=iMnq5o6zALKXGivsnlom_0F5_WYda32GHkxlV7mq7hQ
&code_challenge_method=S256


Token:

curl --request POST --url https://connect.visma.com/connect/token
--header 'content-type: application/x-www-form-urlencoded'  
--data 'grant_type=authorization_code
&redirect_uri=http://localhost
&code=94c99b73c13c1e39f7b0a7d259628338
&client_id=ClientID
&code_verifier=verifier'
guidol
CHAMPION *

by guidol (Updated ‎14-12-2023 11:45 by guidol )

Why is there a `code_challenge`? That only applies to PKCE which we don't intend to use.

by Magnus Johnsen

What type of application/authentication are you intending to set up? 

guidol
CHAMPION *

by guidol

Grant type = Authorization code

guidol
CHAMPION *

by guidol (Updated ‎14-12-2023 13:03 by guidol )

The currently used call to `authorize` is (replacing the client ID):

 

https://connect.visma.com/connect/authorize?response_type=code&client_id=xxxx&redirect_uri=https%3A%2F%2Fdcloud%3A44362%2Fapp%2Fsetup%2Fdatabases%2Fnew%2Fvismanet%2Ftoken&state=INVANTIVE-fb5bc40483ad402e97d4821eeae71ce9&scope=openid+email+profile+vismanet_erp_interactive_api%3Aread+vismanet_erp_interactive_api%3Acreate+vismanet_erp_interactive_api%3Aupdate+vismanet_erp_interactive_api%3Adelete
guidol
CHAMPION *

by guidol (Updated ‎15-12-2023 09:16 by guidol )

The URL provided is correct. The bug reported seems to be user-specific. I have tried the link with another Visma .net user and now it does work. So the tenant consent update error is specific for this user, who has consented with other OAuth settings before.

guidol
CHAMPION *

by guidol

The above error also happens when we open the OAuth URL (similar to https://connect.visma.com/connect/authorize?response_type=code&client_id=xxxxxx&redirect_uri=https%3...) from an Incognito session.

by Magnus Johnsen

Hi,

Does the user you are logged in with have the "Customer Administrator" role? If so, they should be able to assign the "Integration Administrator" to any other user in that company.