Functions and Sessions

What dictates the user and session within a function, particularly one called via REST?

We have a range of functions within one library that are used for in-house EDI. This EDI creates a sales order, adds one or more lines, adds parts, runs the configurator and populates it with data if needed, runs OJW, among other things.

This has all been created in a dev environment by one user (let’s call me him “Dev”.) Solution Workbench creates a solution of these functions and exports. The solution is imported into a Test environment and eventually to our Live environ.

The EDI can run from numerous sources but is mostly triggered from Excel.

We have a dummy user set up (let’s call it “EDIUser”) and it’s EDIUser’s credentials that are used to make the REST calls in Excel that fire our functions to do all the Epicor magic.

Here’s our problem though. When the SO is created, OrderHed.EntryPerson shows Dev’s username. Further, all materials issued to the job are coming from whatever site Dev was logged into when EDIUser ran the automation.

There is one “master function” that’s called, and this coordinates which other functions need to be called to do various stages of the overall process. There’s quite a bit of functions-calling-functions happening, but all through the one library. At no point in the functions are Dev’s credentials used. The only time credentials are used are through Excel etc, and only then for EDIUser to call the master function.

I’m assuming that somewhere in this process I need to enforce a session and dictate the correct user, company, site etc. I’m just surprised to see Dev’s session being tied to this process and I’m unsure why this is the case.

I know it might be a big ask seeing I haven’t provided code, but would anyone be able to explain, on a broad sense, how Dev’s session would be triggered in this scenario?

Cheers!

This is where I would look. If you look at the REST V2 Technical Reference Guide for 2022.1, you will see that you should be able to pass in a username IF the authenticated user has Impersonation rights in User Account Security Maintenance.

It’s also possible that the dataset has the user “dev” hardcoded in the BO call within the function but you’d have to show some code for that.

Hey Mark, thanks for the reply.

I’ve just confirmed that yes, EDIUser has “Allow Session Impersonation” enabled.

I’m sure there’s no hard-coded user in the record creation. Below is the code used to create OrderHed record:

Erp.Tablesets.SalesOrderTableset tsOrder = new Erp.Tablesets.SalesOrderTableset();

// create a new SO hed
try{
  this.CallService<Erp.Contracts.SalesOrderSvcContract> (boSO => {
    boSO.GetNewOrderHed(ref tsOrder);
    
    //update default fields in OrderHed
    tsOrder.OrderHed[0].Company = "CEB";
    tsOrder.OrderHed[0].CustNum = 
    tsOrder.OrderHed[0].BTCustNum =
    tsOrder.OrderHed[0].ShipToCustNum = tsCustomer.Customer[0].CustNum;
    tsOrder.OrderHed[0].ShipViaCode = tsCustomer.Customer[0].ShipViaCode;
    tsOrder.OrderHed[0].FOB = tsCustomer.Customer[0].DefaultFOB;
    tsOrder.OrderHed[0].TaxRegionCode = tsCustomer.Customer[0].TaxRegionCode;
    tsOrder.OrderHed[0].PONum = *[variable passed to function]*;
    tsOrder.OrderHed[0].NeedByDate =
    tsOrder.OrderHed[0].RequestDate = *[variable passed to function]*;
    tsOrder.OrderHed[0].TermsCode = tsCustomer.Customer[0].TermsCode;
// non-relevant code removed ...
    }

    boSO.Update(ref tsOrder);

  });

tsCustomer is a CustomerTableset passed in as a parameter. This customer was either created (new customer) or retrieved (existing customer) in a previous function. If created it uses CustomerSvcContracts.GetNewCustomer to start with a blank CustomerTableset - no hard-coded user credentials here either.

Cool. What credentials does the Excel spreadsheet use in the VBA? I’m guessing but it could be JavaScript.

And in the function, there’s no section of code creating a new session?

I’m not sure what the exact answer is but I’m pretty sure @Mark_Wonsil is over the target

No, no session is being created in the function. I had assumed (wrongly, maybe) that the owner of the session would be the calling credentials of the REST routines.

Excel uses a WinHttp request with basic auth. Here’s the header info I’m passing in:

    objHTTP.SetRequestHeader "Content-type", "application/json"
    objHTTP.SetRequestHeader "Accept", "application/json"
    objHTTP.SetRequestHeader "X-API-Key", gAPIKey
   
    objHTTP.SetRequestHeader "Authorization", "Basic " + gAuth

API key and authorization are obtained from an SQL call and passed as parameters so they’re not embedded in the code, but the format of gAuth is a Base64 encoded string. Essentially it’s username and pw for the EDIUser login. There’s no reference to Dev user.

Hmmm. No other request headers…

and you’ve decoded the string from ALL copies of the Excel workbook…just to make sure that the Dev didn’t fix one version and not others?

Just reread and saw you’re pulling from SQL. Is there only one gAuth record in SQL? Is there more than one SQL database to choose from - Test vs Production?

This might be what you are looking for

image1131×408 31.6 KB

There’s only the one SQL record. EDIUser is set up the same in both instances so I’m confident the credentials are correct.

Thanks for this link - I’d missed that but I’ve read over the REST Services V2 entry and done some preliminary testing from Excel. I think you might be on to something here, but there’s something wrong with my syntax (or I’m having issues with the double-quotes in VBA). I’ll need to run some tests in Postman when I get the chance. Watch this space…

My initial tests did have problems with double-quotes via VBA. Once I sorted that issue out this worked perfectly. Thanks for pointing me in the right direction @tkoch !