401 error:

Eric Eskildsen
Eric Eskildsen
Sixth Anniversary Kudos 1 Name Dropper Participant
in Education Management APIs

Hi all, ran into this with some schools that I'm pulling Advanced Lists for.

This call works for some schools but fails for others:

https://api.sky.blackbaud.com/school/v1/lists/advanced/123456

For the failing schools, we get back this:

{"errors":[{"message":"You do not have access to this route.","error_code":401,"error_name":"ServiceClientException","raw_message":"You do not have access to this route."}]}

The auth token, subscription ID, etc. are included. We use an account specific to the school for each school. The account is supposed to be set up with the Platform Manager role. Most tasks are unchecked except for reporting- and list-related tasks.

From the error message, I guess the permissions must be wrong for the failing schools…but it's not clear how exactly they're different from the successful schools or how to troubleshoot which are missing.

The documentation for that lists API endpoint lists a lot of roles that should have permissions. The user accounts we're using should all have at least one of those roles (Platform Manager).

I'm curious how we can troubleshoot this and whether anyone else has solved this.

Comments

  • Stephen Boyle
    Stephen Boyle Blackbaud Employee
    Tenth Anniversary Kudos 5 First Reply Name Dropper

    @Eric Eskildsen
    Another place that needs to have the right access in addition to the user is the list itself. “The requested list must have access permissions enabled for a role listed below or the user requesting the list needs read permission to that list.”

    Not sure that helps you, but it is something to check.

  • Eric Eskildsen
    Eric Eskildsen
    Sixth Anniversary Kudos 1 Name Dropper Participant

    @Stephen Boyle Thanks for the reply. Makes sense, and yes, the accounts we're using have read/write permissions on the lists. We can log in to the UI with those credentials, navigate to the advanced lists page, and edit or run the lists. We just can't access them through the API for certain schools.

    I tried a few other endpoints for the problem schools, and everything returns that same error code. At first I did a double take to see if the account was for a different tenant, but there's apparently a different error message for that.

  • Brian Gray
    Brian Gray Community All-Star
    Eighth Anniversary Kudos 5 First Reply bbcon 2025 Attendee Badge

    @Eric Eskildsen - The list itself must also have permission to be accessed via the API.

    On the page showing all of the lists, click on Role Access to the right of the list you want to read via the API.

    a818a7c051254c3f9fb034291bc4fd43-huge-al

    On the page that loads, scroll to the bottom of the list of roles. Grant Run permission for Web Services API Manager. Scroll to the top of the page and save.

    fad2572d7d65e47bb8f475dcae0a1baa-huge-al

    That should allow the list to be read from the API.

  • Eric Eskildsen
    Eric Eskildsen
    Sixth Anniversary Kudos 1 Name Dropper Participant

    @Brian Gray Thanks Brian. No luck with that route. I tried adding all the roles on that screen, including Web Services API Manager. The list now says, “Role Access (106).” :) Still getting the same error with the API call. For one of the working schools, the lists all have “Role Access (0)” and “User Access (0)."

    I confirmed that in both the working and nonworking schools, the accounts we're using have Platform Manager as their base roles. Now confirming what tasks are checked for each.

  • Eric Eskildsen
    Eric Eskildsen
    Sixth Anniversary Kudos 1 Name Dropper Participant

    We found a workaround: adding the Sky API Platform Manager task. That makes the 401's go away.

    Edit: It looks like we could also do this through a combination of roles, e.g., Sky API Basic or Sky API Data Sync + the other roles the user needs to manage the advanced lists in the front end, but we haven't tested that yet.

Categories