I would like to establish an "admin" user to administer a group of users. When I create a new user I give the admin read and write privileges. The user listing on the console shows that the admin does have r/w privileges. The problem is that when I try to update the user I get an Invalid Credential error. I'm using the admin's token to try to update the other user's information (e.g., his email). I get the same error using the API Console. I only seem to be able to update the user information when sending the token for that particular user. Can you tell me what credentials I need to send?

Hi Dawn,



The scenario you are describing sounds correct. Are you seeing an InvalidCredentials error, or is it an InsufficientCredentials error?



If you are seeing an InvalidCredentials error, it would mean that you are not authenticating correctly as the admin user-- perhaps the auth token for your admin user is invalid?

I'm seeing the InvalidCredentials error. The token seems to be fine because I'm able to use it to update the admin user's information. Just not another user. Also discovered that I could not retrieve the other user's information (same InvalidCredentials error). If I change the user collection permissions to Shared then I can retrieve the user info, but I would prefer to keep the permission as Private. Doesn't solve the update issue though.

Hi Dawn, there's something fishy going on, then -- you should not be seeing InvalidCredentials if the auth token is valid. Could you double check that you are submitting the exact same authorization header in both the case that works and the case that does not?



Once you've double checked, can you paste the requests and responses (including the URLs you are hitting, the headers and the bodies) for both cases (success and failure) in this thread, so that I may gain more insight into the problem? if you are concerned with exposing the auth tokens, feel free to send this info to me as a private message.

Sorry, I was wrong. The error is InsufficientCredentials. Here are the requests and the responses. The headers are the same.



This is the acl for the other user's account:

"_acl" = {

creator = 537bb6845a2258f75200a36e;

r = 537bb37d9b6df3b52d00a4fb;

w = 537bb37d9b6df3b52d00a4fb;

};

-------------------------------

PUT request to update the other user's account

https://baas.kinvey.com/user/kid_TPhSjOlfkq/537bb6845a2258f75200a36e

Authorization = "Kinvey 2763c2a1-3d79-4c5d-96f5-a656a9646a10.LOHpRhc3ocA9BINhJ38TCqqB9AlHKjVozy0Guniwprw=";

"Content-Type" = "application/json";

"X-Kinvey-API-Version" = 3;

{

admin = 0;

adminID = 537bb37d9b6df3b52d00a4fb;

email = "john@help.com";

expiration = "2014-07-20T22:05:42.000Z";

groupID = "CF0BF075-BBFE-429B-B986-0781E60F9868";

username = John;

}



Response to update other user's account:

{

debug = "";

description = "The credentials used to authenticate this request are not authorized to run this operation. Please retry your request with appropriate credentials";

error = InsufficientCredentials;

}

-------------------------------------

PUT request to update admin user's account:

https://baas.kinvey.com/user/kid_TPhSjOlfkq/537bb37d9b6df3b52d00a4fb

Authorization = "Kinvey 2763c2a1-3d79-4c5d-96f5-a656a9646a10.LOHpRhc3ocA9BINhJ38TCqqB9AlHKjVozy0Guniwprw=";

"Content-Type" = "application/json";

"X-Kinvey-API-Version" = 3;

{

admin = 1;

email = "dawn@help.com";

expiration = "2014-07-20T22:09:00.000Z";

groupID = "CF0BF075-BBFE-429B-B986-0781E60F9868";

username = Dawn;

}



Response

{

"_acl" = {

creator = 537bb37d9b6df3b52d00a4fb;

};

"_id" = 537bb37d9b6df3b52d00a4fb;

"_kmd" = {

authtoken = "2dfd70b8-94aa-41fe-8a48-91db2d7caaac.allRrFysxth63NLp/2oyqtypXhaBMFj+rmnVl1C5NNo=";

ect = "2014-05-20T19:56:45.761Z";

lmt = "2014-05-20T22:08:58.515Z";

};

admin = 1;

email = "dawn@help.com";

expiration = "2014-07-20T22:09:00.000Z";

groupID = "CF0BF075-BBFE-429B-B986-0781E60F9868";

username = Dawn;

}

Hi Dawn, _acl.r and _acl.w should contain arrays of string IDs, rather than a single string ID (as specified in the guides http://devcenter.kinvey.com/rest/guides/security#entityanduserpermissions).



That is, your user's _acl should be:

`

{

creator: "537bb6845a2258f75200a36e",

r: ["537bb37d9b6df3b52d00a4fb"],

w: ["537bb37d9b6df3b52d00a4fb"]

}`

Yep. That was the problem. Thx for your help.