[SalesForce] Marketing Cloud API Request “Account/User not authorized for operation”

I've been trying to run this request to create a contact

POST /contacts/v1/contacts HTTP/1.1
Host: DOMAINHERE.rest.marketingcloudapis.com
Content-Type: application/json
Authorization: Bearer ACCESS TOKEN HERE
cache-control: no-cache
{
"contactKey": "example@salesforce.com",
"attributeSets": [{
"name": "Email Addresses",
"items": [{
"values": [{
"name": "Email Address",
"value": "example@salesforce.com"
},
{
"name": "HTML Enabled",
"value": true
}]
}]
}]
}------WebKitFormBoundary7MA4YWxkTrZu0gW--

I checked my permissions and I have API access checked off, I checked the access on the installed package as well and it should be open. My user account is also an API enabled user. This is not to be confused with the "Not Authorized" error code.
This is the exact error message I get:

"Account / User not authorized for operation."

Any idea what is causing this problem?

Best Answer

So the resolution on this issue:

On the token request, user was passing scope, which trumped the scope provided to the Installed Package.

In the future the correct scope should be passed in the token call to complete the downstream call. Or scope should be omitted to default to scope granted to the installed package

Related Solutions

[SalesForce] User not authorized error

This isn't going o directly answer the permissions question, however, will explain how to do this in a more secure method.

The original method to interact with SOAP API used a plain text authentication:

   <s:Header>
      <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <o:UsernameToken u:Id="uuid-2517ad18-a6e9-4f38-98a9-184b30a59fb9-1">
            <o:Username>XXXXX</o:Username>
            <o:Password>XXXXX</o:Password>
         </o:UsernameToken>
      </o:Security>
   </s:Header>

This is somewhat insecure, and also takes up a user in your account.

With the newer method, you now can create an app in the Marketing Cloud "App Center" and authenticate against a REST authentication service, providing much better security.

You can read more about the process here - http://code.exacttarget.com/apis-sdks/soap-api/using-app-center-to-get-an-api-key.html

You will most likely just create an API Integration

API Integrations allow you to leverage the Marketing Cloud APIs. Create an API Integration app when you want to use Fuel APIs to automate tasks or integrate business systems. API Integration apps utilize an OAuth2 client credentials flow to acquire access tokens directly from the Fuel authentication service.

You would then use the following SOAP header (adding any required namespaces).

<Header>  
    <fueloauth xmlns="http://exacttarget.com">YOURACCESSTOKEN</fueloauth>
</Header>

I have a post that explains the entire process in more detail here - http://kellyjandrews.com/using-fuel-oauth2-with-the-soap-api/

[SalesForce] How to get a standard object by standard field with rest api

You can do that only if you are using a External Id, AccountId is not. What you can do it to make a simple query (doc):

Endpoint

/services/data/v32.0/query/?q=SELECT+Id%2C+FirstName%2C+LastName+FROM+Contact+WHERE+AccountId+%3D+%2700128000002lyIm%27

Best Answer

Related Solutions

[SalesForce] User not authorized error

[SalesForce] How to get a standard object by standard field with rest api

Related Topic