Issue
Symptoms
When an outbound REST request is executed using RESTMessageV2 via a MID server as a user with snc_read_only role, it fails with the below error:
Security restricted: access for table: ecc_queue, user: abel.tuter, operation: create -- from class: ReadOnlyRoleAccessHandler REST Msg Outbound - ECCRESTResponse : Error while evaluating the XPATH Expression against response: org.apache.axiom.om.OMException: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog at [row,col {unknown-source}]: [1,0]: org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:297) org.apache.axiom.om.impl.dom.DocumentImpl.getOMDocumentElement(DocumentImpl.java:446) org.apache.axiom.om.impl.dom.DocumentImpl.getDocumentElement(DocumentImpl.java:458) com.glide.rest.outbound.ecc.ECCRESTResponse.getNodeList(ECCRESTResponse.java:252) com.glide.rest.outbound.ecc.ECCRESTResponse.extractHeaders(ECCRESTResponse.java:215) com.glide.rest.outbound.ecc.ECCRESTResponse.processResponse(ECCRESTResponse.java:176) com.glide.rest.outbound.ecc.ECCRESTResponse.fetchAndProcessEccResponse(ECCRESTResponse.java:246) com.glide.rest.outbound.ecc.ECCRESTResponse.getBody(ECCRESTResponse.java:135)
Release
Applicable to all releases
Cause
Since the REST Message is via the MID server, a RESTProbe ecc_queue record is supposed to be created for the MID server to process this request. However, the creation of this record fails because the user has the snc_read_only role and doesn't have the permission for the 'create' operation on the ecc_queue table.
Resolution
To be able to let users with snc_read_only execute RESTMessageV2 requests via the MID server, you need to create the following property:
Name: glide.security.snc_read_only_role.tables.exempt_create
Type: string
Value:
sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth, ecc_queue
This will allow the 'create' operation to be successful on the ecc_queue table even though the user has the snc_read_only role.