Extract each element in array as input in servicecallout policy

I have a requirement where i need to get all the user roles in my org and then get users in each role.Below is the expected response .

{ "Role": "xyz", "Users": { "a","b" }

I created a proxy with target url as management api to get all roles and added JS policy.

var userroles = []

userroles=context.getVariable("response.content");

for(var i = 0 ;i < userroles.length; i++)

{ print("userroles are " + userroles[i]) }

Now i want to use each userrole in different policy,how can that be done

Solved Solved
0 15 490
1 ACCEPTED SOLUTION

Now i want to use each userrole in different policy,how can that be done

What do you mean by this? I think you want to query the list of users for each role in the system.

That's not a good use case for Apigee, or for the JS callout. The JS callout can send an HTTP request outbound, but there are limitations. For example, there is a maximum time that a JS policy will execute.

It feels to me, that a better way to do this is just to write a script (nodejs, bash, powershell, etc) that does the work for you, and run that script.

The logic is

  • get the list of roles
  • for each role: get the users in the role

?

View solution in original post

15 REPLIES 15

Not applicable

It's not a good practice to use management api in your proxy call. But if its the requirement then you can get the users for each role or all roles using the management api call. Below is the link.

https://apidocs.apigee.com/management/apis/get/organizations/%7Borg_name%7D/userroles/%7Brole_name%7...

Then you can use in javascript.

Yes Priyadarshi, i have done this using postman scripts in collection.But the requirement is do do this through APIGEE proxy

Now i want to use each userrole in different policy,how can that be done

What do you mean by this? I think you want to query the list of users for each role in the system.

That's not a good use case for Apigee, or for the JS callout. The JS callout can send an HTTP request outbound, but there are limitations. For example, there is a maximum time that a JS policy will execute.

It feels to me, that a better way to do this is just to write a script (nodejs, bash, powershell, etc) that does the work for you, and run that script.

The logic is

  • get the list of roles
  • for each role: get the users in the role

?

Yes @Dino-at-Google ,i want to query list of users in each role.But i guess if i iterate the roles in js policy,only last value of role can be used in service callout policy for calling management api to get the users.

Also i tried to pass the role in APIGEE url,extract the role in extract message policy and then use that role as variable in service callout to call managemnt API to get users in that role .But now i am getting below error as the target url set in service callout policy expects a bearer token

{ "fault": { "faultstring": "Execution of ServiceCallout Service-Callout-1 failed. Reason: ResponseCode 401 is treated as error", "detail": { "errorcode": "steps.servicecallout.ExecutionFailed" } } }


Not sure on how to pass bearer token in service callout policy

i guess if i iterate the roles in js policy,only last value of role can be used in service callout policy for calling management api to get the users.

I think you are saying, "Only ONE role can be queried in a ServiceCallout policy". And that's correct. It's a characteristic of the Administrative API - the Admin API lets you query the users in a single role at a time.

Not sure on how to pass bearer token in service callout policy

A Bearer token is something you normally pass in the Authorization header. So you need to set the authorization header in the SC policy. Something like this:

<ServiceCallout name='SC-1'>
  <Request variable='myRequest'>
        <Set>
           <Headers>
             <Header name='Authorization'>Bearer {token_here}</Header>
           </Headers>
         <Verb>GET</Verb>
         <Path>/v1/o/{orgname}/userroles/{role}/users</Path>
      </Set>
  </Request>
  <Response>myResponse</Response>
   ...

Thank you Dino for your quick response.

As suggested by you, i have added below configuration in SC-policy.

<Headers> <Header name="Authorization">request.header.Authorization</Header> </Headers>

i am using postman to call the API and i pass bearer token in postman authorization header.

But i still get the 401 error

when you are doing postman call use header Authorization and value as Bearer <bearer_token>

It should look like

'Authorization: Bearer ##############'

Yes done in same way.

can you try a direct call to your service callout url from postman using the same request bypassing Apigee? Need to understand the actual request to the callout.

My management call uses Basic Authorization as this is the default. Have you enabled Bearer token for management calls?

Yes Priyadarshi,we have enabled bearer token,and direct call to the api gives proper response

then try to replicate the same request to the service callout. Compare both the requests and see what is the difference.

yes, this.

Check:

  • the URL, including scheme, host, and path
  • the verb (POST vs GET etc)
  • any query parameters
  • ALL headers including the Authorization header and the Accept header
  • payload, if any

You want to configure the ServiceCallout so that it duplicates the entire call. You've checked the Authorization header. Now check everything else.

Amruta, it should NOT be

<Headers>
  <!-- THIS WILL NOT WORK -->
  <Header name="Authorization">request.header.Authorization</Header>
</Headers>

It should be like this:

<Headers>
  <!-- Surround the variable in curly braces -->
  <Header name="Authorization">{request.header.Authorization}</Header>
</Headers>

The curly braces are important.

Thank you very much Dino 🙂 Getting 200 response now!

EXCELLENT. Glad it's working for you now.