This article applies to Exalate Classic only. For New Exalate, refer to this documentation.
This document details all API permissions required by the Exalate Xurrent connector, organized by feature and use case.
Overview
Xurrent uses a record type + operation permission model for API access. When creating a Personal Access Token or OAuth application, you must explicitly grant permissions for each record type your integration needs to access.
Key Points:
- Personal Access Tokens deny all access by default
- You must add scopes for each record type needed
- Operations include:
Read,Create,Update,Delete,All - Some operations require specific user roles in addition to API scopes
Permission Format
Xurrent permissions follow the format:
<record_type>:<operation>
Available Operations:
| Operation | Description |
|---|---|
Read | Query and retrieve data |
Create | Create new records |
Update | Modify existing records |
Delete | Delete records |
All | All operations (Read + Create + Update + Delete) |
Examples:
Request:Read- Can read requestsRequest:Create- Can create requestsPerson:Read- Can read people/usersTeam:Read- Can read teams
Minimum Required Permissions
These are the absolute minimum permissions required for basic Exalate sync functionality:
| Record Type | Operations | Purpose |
|---|---|---|
| Request | Read, Create, Update | Core sync functionality |
With only these permissions, you can:
- Create new requests from incoming sync
- Update existing requests
- Read request details for outgoing sync
Limitations with minimum permissions:
- Cannot sync comments (need Note permissions)
- Cannot look up users by email (need Person permissions)
- Cannot look up teams (need Team permissions)
- Cannot use request templates (need Request Template permissions for custom fields type)
- Cannot use custom fields with labels (need UI Extension permissions)
Full Feature Permissions
For full Exalate functionality, grant these permissions:
| Record Type | Operations | Purpose |
|---|---|---|
| Request | Read, Create, Update | Core request sync |
| Note | Read, Create | Comment sync |
| Person | Read | User lookup (reporter, assignee) |
| Team | Read | Team assignment (for member field) |
| Request Template | Read | Template-based requests |
| UI Extension | Read | Custom field labels/values |
| Service Instance | Read | Service assignment |
Permission by Feature
1. Request Sync (Required)
Permissions Needed:
Request: Read, Create, Update
Script Usage:
// These work with Request permissions only
entity.summary = replica.summary
entity.category = "incident"
entity.status = replica.status
2. Comment/Note Sync
Permissions Needed:
Note: Read, Create
Script Usage:
// Sync comments
entity.comments = commentHelper.mergeComments(entity, replica)
Without Note:Read permission (Outgoing Sync):
- Comments will NOT be read from Xurrent
- Warning logged:
"Unauthorized (401) when fetching comments... API token may lack Note:Read permission" - Sync continues without comments (graceful degradation)
- No error thrown
Without Note:Create permission (Incoming Sync):
- Sync FAILS with clear error message
- Error:
"Unauthorized (401) when creating comment... Ensure your API token has Note:Create permission" - This ensures users know exactly what permission is missing
3. User/People Lookup
Permissions Needed:
Person: Read
Script Usage:
// Look up user by email
def user = nodeHelper.getUserByEmail("john@example.com")
entity.requestedFor = user
// Look up user by ID
def user = nodeHelper.getUserById("12345")
Without Person permissions:
getUserByEmail()throwsIssueTrackerExceptionwith 401 error- Reporter/Assignee enrichment fails
4. Team Assignment
Permissions Needed:
Team: Read
Script Usage:
// Look up team by name
def teamId = nodeHelper.getTeamIdByName("Support Team")
entity.teamId = teamId
Without Team permissions:
getTeamIdByName()throwsIssueTrackerExceptionwith 401 error- Team member validation is skipped (graceful degradation)
- Request creation may still work if team ID is known
5. Request Templates
Permissions Needed:
Request Template: Read
Script Usage:
// Look up template by name
def templateId = nodeHelper.getTemplateIdByName("IT Support Request")
entity.templateId = templateId
Without Request Template permissions:
getTemplateIdByName()throwsIssueTrackerExceptionwith 401 error- Cannot dynamically look up templates
- Can still use template ID directly if known
6. Custom Fields (UI Extensions)
Permissions Needed:
Request Template: Read
UI Extension: Read
Script Usage:
// Get custom field with validation
def cf = nodeHelper.getCustomField(templateId, "My Field", "Value 1")
entity.customFields["My Field"] = cf
// Get field label
def label = nodeHelper.getCustomFieldLabel(templateId, "custom_field_123")
// Get value label (for dropdowns)
def valueLabel = nodeHelper.getCustomFieldValueLabel(templateId, "company", "value_1")
// Get all field definitions
def definitions = nodeHelper.getCustomFieldDefinitions(templateId)
Without UI Extension permissions:
getCustomField()throws error about missing definitionsgetCustomFieldLabel()returns internal ID instead of labelgetCustomFieldValueLabel()returns internal value instead of label- Custom fields still sync, but with internal IDs instead of labels
7. Service Assignment
Permissions Needed:
Service Instance: Read
Script Usage:
// Look up service by name
def serviceId = nodeHelper.getServiceIdByName("IT Service Desk")
entity.serviceId = serviceId
Without Service Instance permissions:
getServiceIdByName()throwsIssueTrackerExceptionwith 401 error- Can still use service ID directly if known
8. Tags/Labels
Permissions Needed:
Request: Read, Update
Tags are managed through the Request API, no separate Tag permission needed.
Script Usage:
// Sync labels/tags
entity.labels = replica.labels
9. Attachments
Permissions Needed:
Request: Read, Update
Note: Create (for attachments on comments)
Attachments use the storage facility API which is accessible with Request permissions.
Script Usage:
// Sync attachments
entity.attachments = replica.attachments
Permission Errors
401 Unauthorized Errors
When a method lacks required permissions, you'll see errors like:
IssueTrackerException: Unauthorized: If you want to use this feature (getUserByEmail),
ensure your API token has proper permissions for the People endpoint.
Solution: Add the required record type with Read permission to your Personal Access Token.
Graceful Degradation
Some features gracefully degrade instead of throwing errors:
| Feature | Behavior without Permission |
|---|---|
| Note:Read (outgoing) | Comments skipped - sync proceeds without comments |
| Team member validation | Skipped - request proceeds |
| Custom field labels | Returns internal ID |
| Custom field value labels | Returns internal value |
Strict Validation (Throws Exception)
These features throw exceptions with clear 401 messages:
| Feature | Error Message |
|---|---|
| Note:Create (incoming) | "Unauthorized (401) when creating comment... Ensure your API token has Note:Create permission" |
| Person:Read | "Unauthorized (401) when fetching person. Check API permissions for people endpoint." |
| Team:Read (lookup) | "Unauthorized: If you want to use this feature (getTeamIdByName), ensure your API token has proper permissions for the Teams endpoint." |
Additional Resources
Next steps
Have more questions? Ask the community