Rest API "From" input permission

Hi,

We are using the Rest API. We are trying to use “From” input in Create or update Incident requests. Following is the parameter I am asking :image

We tried to give the stakeholder user in “from” input and made the request with the admin user’s token, but it did not reflect the stakeholder user in the timeline.

But if I generate the token with API Access and use that token in request and provide the Stakeholder user in “From” then created incident contains user which is created with Stakeholder.

So does this mean “From” input reflect when API Access token is used not user token?

Regards,
Sonal

Hello,

To confirm what were you trying to do with the Stakeholder? Please do remember there are limitations on what Stakeholders can do?

John

Here I am taking an example, we can take another user rather than stakeholder the behavior is the same. It worked with API Access token, not user token. So does this mean “From” input reflect when API Access token is used not user token?

Regards,
Sonal

Hi Sonal,

Stakeholder users are not intended to be able to Create or Update incidents. If you are able to achieve creating or updating an an incident using a stakeholder’s email address in the From parameter, this is unintentional behavior.

I was just able to reproduce creating an incident using a Stakeholder’s email address in the From parameter using a Global REST API token, which should not be able to be done due to stakeholders not being intended to have that permission and not having that permission in the Web UI.

I will report this bug to the team. Thank you for reporting it for us!

Here even though we can take another user, if i take responder user in “From” that also get reflected when API Acess token is used, it is not reflected when User API Token is used. Any user is reflected when API Acess Token is used not User API Token. Why this happens?

Regards,
Sonal

@sonal,

When you use a personal user token, it is linked to the user so that field does not count. But the API Token is linked to account so the From is required to account for who made the change.
You would note that the Incident would reflect as being assigned to to the owner of the Personal Token.
I hope that helps.

Cheers,

Does this mean this will reflect when API Access token is used? Can you explain with some example?

As per our REST API Overview:

**From:** the email address of the user to record as having taken the action. Should be used when creating a user or when performing Incident Creation in the REST API.

E.g.

curl -X POST --header ‘Content-Type: application/json’ --header ‘Accept: application/vnd.pagerduty+json;version=2’ --header ‘From: test@test.com’ --header ‘Authorization: Token token=’ -d ‘test’ ‘https://api.pagerduty.com/incidents

Let us know if you have any further questions.