Provide access programmatically to BIM 360 services - autodesk

We are working on providing access to BIM 360 projects programmatically. We allow project admin to select user and role combination to provide access to BIM 360 project.
Once user and role combinations are added, we call import users BIM 360 API and pass the required JSON body. API Reference: https://forge.autodesk.com/en/docs/bim360/v1/reference/http/projects-project_id-users-import-POST/
There is service access associated with each role. So we are passing the service access information accordingly.
We are able to give access to document_management and project_administration service objects.
But we need to also give access to Project Management, Insight and other available services. If we pass insight or project_management service name we get error as
Invalid services ["project_management"]
and similar error for insight service.
We are passing below sample JSON body:
[
{
"email": "userEmail",
"services": {
"document_management": {
"access_level": "admin"
},
"project_administration": {
"access_level": "admin"
},
"project_management": {
"access_level": "admin"
}
},
"company_id": "companyId",
"industry_roles": [
"roleid1",
"roleid2"
]
}
]
If we remove project_management object from above JSON, the access works fine.
How can we provide access to these and other available services? or are we missing something?
Thank you!

Unfortunately, it's a known limitation of Admin API :-( although it is a high demanded feature.
We have a wish logged against it:
ACSADMIN-530 (was HQ-3034): “API wish: adding users beyond Docs”
Sorry for the bad news.

Related

How to Add File Reference to Quality Issue

Via the BIM360 API, I am able to create Quality Issues and upload files (to be used as attachments). However, even though I am calling Post Attachments (https://forge.autodesk.com/en/docs/bim360/v1/reference/http/field-issues-attachments-POST/) (and all responses are good), nothing appears on the Issue screen.
Issue screen with manually added file. How can I make my attached file appear under the References->Files section?
(Note, I saw a mention elsewhere of the relationships API, but I get a random error just calling the first "asset" API [{"title":"Forbidden","detail":"Forbidden","errorCode":"GENERAL_ERROR","type":"https://developer.api.autodesk.com/bim360/assets/v1/error-codes/GENERAL_ERROR"}])
firstly, the screenshot shows you are working with Issues in Autodesk Construction Cloud (ACC), while the API you are using is for BIM360 Issue. This API is NOT compatible with ACC.
To work with ACC Issue, the API is available at the category of ACC:
https://forge.autodesk.com/en/docs/acc/v1/reference/http/issues-issues-GET/
this blog tells more.
https://forge.autodesk.com/blog/acc-issues-api-available-preview
In the context of ACC, the attachment(references) is managed by the general API (Relationship API). In Additional Tests of Postman collection of ACC Issue API, I demoed how to add Photo with the Issue. The logic is similar.
https://github.com/Autodesk-Forge/forge-acc.issues.api-postman.collection
Firstly, use Data Management API to get the document urn. Then, use ACC Issue API to get id of one issue. finally, use Relationship API to bind them.
PUT https://developer.api.autodesk.com/bim360/relationship/v2/containers/{{project_id_without_b}}/relationships
P.s. -bim360- in the domains is just because of legacy design of the terminologies. It can work for the contexts of both BIM360 and ACC (note it is Relationship API can work within both of the contexts)
Payload:
[
{
"entities": [
{
"domain": "autodesk-bim360-issue",
"type": "issue",
"id": "{{one_issue_id}}"
},
{
"domain": "autodesk-bim360-documentmanagement",
"type": "documentlineage",
"id": "{{one_document_urn}}"
}
]
}
]

Getting all application extensions, and just applicaiton extensions for an object from MS Graph

Assume I know the extension names I am looking for I could get a users extensions like so:
GET https://graph.microsoft.com/v1.0/users/{{OBJECT_ID}}?$select=extension_{{APP_ID_WITHOUT_GUIDS}}_SomeId,extension_{{APP_ID_WITHOUT_GUIDS}}_SomeValue
Or I could get the attributes from his member groups like so:
GET https://graph.microsoft.com/v1.0/users/{{OBJECT_ID}}/memberOf?$select=extension_{{APP_ID_WITHOUT_GUIDS}}_SomeId,extension_{{APP_ID_WITHOUT_GUIDS}}_SomeValue
However, what If I wanted to see all extension the token had paticular access to. $select=extension_* does not work I get the following:
{
"error": {
"code": "BadRequest",
"message": "Term 'extension_*' is not valid in a $select or $expand expression.",
"innerError": {
"request-id": "3b4e14d6-3bbc-429b-8c45-b0fea629f4a6",
"date": "2018-04-06T13:35:40"
}
}
}
Is there syntax to make this possible?
No, this isn't possible with Microsoft Graph (using v1 Directory Schema Extensions). With Azure AD Graph API there is a function - getAvailableExtensionProperties - that should return all the available v1 directory schema extensions available in the tenant; this doesn't exist in Microsoft Graph. If you use Microsoft Graph schema extensions, you can query /schemaExtensions to find all public schema extension definitions available for use in any tenant (although your app also needs to have been granted access to the underlying extended object - like user).
Hope this helps,

Unable to extend schema within a verified sub domain directory

I live in an enterprise environment where most of our production domains are currently non-routable (e.g. .local).
I tried extending the schema but since the non-routable cannot be verified and the default .onmicrosoft I don't think could either. My enterprise allows me to easily create subdomains so I attached it and verified for testing purposes and ran into the same verified domain error.
Per the documentation, I should be able to either us the ID of my domain name or just the scheme name and get 8 random-alpha-chars added. Neither approach works in this case.
POST: https://graph.microsoft.com/v1.0/schemaExtensions
{
"id": "idmdomain.sub.domain.net_Owners",
"description": "Owners of the group",
"targetTypes": [
"Group"
],
"properties": [{
"name": "PrimaryOwners",
"type": "String"
},
{
"name": "SecondaryOwners",
"type": "String"
}
]
}
Message Received:
{
"code": "BadRequest",
"message": "Your organization must own the namespace idmdomain.sub.domain.net as a part of one of the verified domains.",
"request-id": "1c7363f9-d54b-408a-8b29-2c0d2a94280a",
"date": "2018-03-22T21:47:22"
}
From the documentation:
If you already have a vanity .com,.net, .gov, .edu or a .org domain that you have verified with your tenant, you can use the domain name along with the schema name to define a unique name, in this format {domainName}_{schemaName}.
For example, if your vanity domain is contoso.com, you can define an id of, contoso_mySchema. This is the preferred option.
So in your example, idmdomain.sub.domain.net_Owners should simply be domain_Owners. It shouldn't include idmdomain, sub, net or any ..
Thank you Marc for pointing me in the correct direction. Even though my app had the correct delegated permissions (Directory.AccessAsUser.All) I now understand that I needed to execute this change in the user context instead of application as application is not supported.
For those that come behind me {domainName}_{schemaName} works if you validate your domain, if dont and you just leave schemename then the generated guid works as documented. I recommended reviewing the two links below as they were what finally unlocked the puzzle for me.
Helped me understand how this is working (authentication vs authorization)
https://developer.microsoft.com/en-us/graph/docs/concepts/rest
Helped me setup postman to quickly validate
https://blogs.msdn.microsoft.com/softwaresimian/2017/10/05/using-postman-to-call-the-graph-api-using-azure-active-directory-aad/
I should add for the postman route, a few changes...
Auth URL
https://login.microsoftonline.com/yourtennantid/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com
Access Token URL
https://login.microsoftonline.com/yourtennantid/oauth2/token
Scope = Directory.AccessAsUser.All

AccessDenied: Required claim values are not provided when accessing education/users endpoint

I'm unable to access the education/users endpoint but I am able to access other endpoints (education/classes, education/schools).
Whenever I try to get a list of all users, I get the following error:
{
"error": {
"code": "AccessDenied",
"message": "Required claim values are not provided.",
"innerError": {
"request-id": "58c42204-440a-482c-b1e9-4c65bb413ed1",
"date": "2018-03-21T20:23:24"
}
}
}
When I try to make the call using the Graph Explorer, I'm given the following notice:
Failure - Status Code - Looks like you may not have the permissions for this call. Please modify your permissions.
Unfortunately, I get the same error after modifying my permissions.
If anyone has any idea why this might be happening, I would be very grateful for the help.
For app+user (delegate) permissions, the only supported scope for the /education/users collection on MSGraph is EduRoster.ReadBasic.
This supports getting an individual user's information, or information on lists of users within classes of which you are a member, but does NOT support browsing the entire set of users in a tenant, as it is deliberately a restricted scope.
If you need more than this, you would need to use app-only permissions, and sync the users into your own data store with EduRoster.Read.All, which would allow you to get all of the users.

Autodesk Forge BIM 360 API - Activating Service Types

We have been using the Forge API to automatically set up projects in BIM 360, but seem unable to find a way to automatically activate a Service (Field, Glue, etc.).
Intuitively, I would have thought that the "service_types" attribute would be the way to do this, but the services are not activating.
1) What does the "service_types" attribute actually do?
2) If possible, how do we activate a project Service using the Forge API (Most specifically Field)?
Thank you kindly,
Re. #1
Your understanding of service_type is correct.
Re. #2
Could you try below after you create a project?
https://developer.autodesk.com/en/docs/bim360/v1/reference/http/projects-project_id-users-POST/
e.g., with the body like this:
{
"role": "project_admin",
"service_type": "field",
"company_id": "77e4444e-5dad-46a2-ad29-555cc00452a0",
"email": "my.name#autodesk.com"
}
I verified that having service_type in project creation itself does not have effect. And the documentation is a little confusing. But if you use the above method, it works. Note that you need to have Field license with you account.
There is also a tutorial page:
https://developer.autodesk.com/en/docs/bim360/v1/tutorials/activate-service/