400 error - SecurityBusinessLogicFetchPermissionsUserMappingDoesNotExist in our logs

David Zeidman

We have been getting a number of errors appearing in our logs for calls made to the constituent search endpoint. The error name given is SecurityBusinessLogicFetchPermissionsUserMappingDoesNotExist. When I google this I get one single result pointing to SKY Add-ins Single Sign-on (SSO) but this has nothing to do with addins (what is more I cannot see any reference to that error name on that page).

Here is an example of the text I get in our logs (I have doctored it a little to anonymise it slightly)

2022/07/20 01:28:41.661 WARN - NXT unsuccessful response. Status Code: 400 Content: [{"message":"No user mapping exists for user identifier 8da1d4f1-e52c-xxxxx and tenant 333917d4-ebf9-xxxxxx","error_name":"SecurityBusinessLogicFetchPermissionsUserMappingDoesNotExist","error_code":25002,"raw_message":"No user mapping exists for user identifier {0} and tenant {1}.","error_args":["8da1d4f1-e52c-xxxxx","333917d4-ebf9-xxxxx"]}] Uri: https://api.sky.blackbaud.com//constituent/v1/constituents/search?search_text=user@example.com&include_inactive=true&strict_search=false&offset=0&count=500 Method: GET

Anybody seen this before?

Anybody from Blackbaud care to comment on what is going on here?

Thanks

Anthony Gallo

@David Zeidman
I think for errors like this we need to have the engineering folks take a deeper dive. We have been working with support so that they are able to triage errors in the API and get them sent our way. If you do not already have a ticket with them, I would point you in that direction to get more answers.

David Zeidman

Thanks Anthony, I have created a ticket in support

Chris Rodgers

Hey @David Zeidman, you are seeing this error response because the user's account is no longer active in the given Blackbaud Environment. Our team has been recently discussing this scenario, and I wanted to verify whether that was the case here, and it is. Our team has proposed a change to revoke a user's refresh tokens for a given Blackbaud Environment when their access is removed. If we make this change, the refresh token will be revoked, and you will receive a 400 response from the https://oauth2.sky.blackbaud.com/token request with a standard invalid_grant error. So this validation would happen upstream of any SKY API request.

{
"error": "invalid_grant",
"error_description": "The authorized user no longer has access to this Blackbaud Environment."
}

* The proposed error_description is subject to change.

We think this is the appropriate behavior, but let me know if this would be a problem for you application to handle. Your handling of the error will depend on the function it is performing. If your application is performing an offline sync operation and you rely on this particular user authorization for that particular environment, you'll need to contact your customer to have them re-authorize your application with another user or have them restore the previous user's access.

If your application is user-interactive, you may need remove that user's access to your application's representation of the Blackbaud environment or ask the user to authorize your application for another environment.

David Zeidman

Hi @Chris Rodgers, thanks for that explanation. That makes sense.

As far as I am concerned it would be much better to have this error further upstream. We do a check to ensure that we have a valid access token and then refresh token at regular intervals before we process the data. To get an appropriate message at that stage would be much better.

Chris Rodgers

Thanks for the feedback, @David Zeidman. We should be taking this up in the next couple weeks.