RBAC service errors

RBAC API error responses can be formatted as ctext/html or JSON objects.

Error response format

RBAC API error responses can use the following keys:

Key Definition
kind The kind of error encountered.
msg A human-readable message associated with the error.

For error responses formatted as text/html, the body is the contents of this key.

details Additional, potentially machine-readable, information about the error condition.

General error responses

RBAC API endpoints that accept a JSON body might return these responses.

Response Response code Description
malformed-request 400 The submitted data is not valid JSON. The details key contains an error message from the JSON parser.
schema-violation 400 The submitted data has an unexpected structure, such as invalid fields or missing required fields. The msg key describes the problem, and the details key is an object containing:
  • submitted: The submitted data as it was seen during schema validation.
  • schema: The expected structure of the data.
  • error: A structured description of the error.
inconsistent-id 400 ID data in the request body doesn't match the ID in the request's URI path. The details key shows the two IDs.
invalid-id-filter 400 The request's URI path contains a filter on the ID with an invalid format. No details are given with this error.
invalid-uuid 400 An invalid UUID was submitted. No details are given with this error.
user-unauthenticated 401 An unauthenticated user attempted to access an endpoint that requires authentication.
user-revoked 401 A revoked user attempted to access an endpoint that requires authentication.
api-user-login 401 A person attempted to log in as the api_user with a password. The api_user does not support username/password authentication.
remote-user-conflict 401

A remote user who is not yet known to RBAC attempted to authenticate, but a local user with the same login already exists.

The solution is to change either the local user's login in RBAC, or to change the remote user's login. To change the remote user's login you can either change the user_lookup_attr in the DS settings or change the value in the directory service itself.

permission-denied 403 A user attempted an action that they are not permitted to perform.
admin-user-immutable

admin-user-not-in-admin-role

default-roles-immutable

403 A user attempted to edit metadata or associations belonging to the default user roles or default users (admin or api_user) that they are not allowed to change.
conflict 409 You submitted a value for a field that is supposed to be unique, but another object already has that value. For example, when you attempt to create a user with the same login as an existing user.
invalid-associated-id 422 An object was submitted with a list of associated IDs (for example, user_ids) and one or more of those IDs does not correspond to an object of the correct type.

no-such-user-LDAP

no-such-group-LDAP

422 An object was submitted with a list LDAP user or group IDs, and one or more of those IDs does not correspond to an existing LDAP user or group.
non-unique-lookup-attr 422 A login was attempted, but LDAP found multiple users with the given username. Your directory service settings must use a user_lookup_attr that is guaranteed to be unique within the provided user's RDN.
server-error 500 Occurs when the server throws an unspecified exception. A message and stack trace are usually available in the logs.