Example of using the AR System Server REST API to impersonate a user

An administrator can impersonate a user by using the X-AR-Impersonated-User REST API header. This HTTP header helps an administrator to:

  • Debug an issue
  • Perform programmatic integrations

Related topics

Integrating-AR-System-forms-with-a-third-party-application-by-using-the-REST-API

Endpoints-in-AR-REST-API

Learning-about-the-REST-API

When an administrator impersonates a user, the administrator continues to utilize the fixed license. 

You impersonate a user by using the ARSetImpersonatedUser API call. For more information, see Impersonating-a-user

The following table gives you details about using the X-AR-Impersonated-User header in the GET operation:

URL qualifier

/entry/{formName}/{entryId}

formName is the name of the form for which an entry must be read. 
entryId is the entry ID.

Method

GET

Headers

Header

Value

Authorization

token

(Optional) X-AR-Client-Type

Client Type ID

(Optional) X-AR-RPC-Queue

RPC queue to which the client calls are routed

(Optional) X-AR-Timeout

Timeout (in seconds) for a REST request

The default value is 120 seconds.

(Optional) X-AR-TR-Core-Id

The core ID in a trace ID

(Optional) X-AR-TR-Counter

The counter in a trace ID

(Optional) X-AR-Trace-Id

The complete trace ID

(Optional) X-AR-TR-Is-Counter-Locked

The lock counter

(Optional) X-AR-Impersonated-User   

base64 encoded string; for example, Demo2

Parameters

Name

Description

fields

Selects the parts of the JSON document to return

For example: ?fields=entryId1,entryId2

expand

Expands the related entries (associations).

For more information, see Endpoints-in-AR-REST-API.

Returns

An entry object

All possible error codes

If the request is not successful, one of the following error code is returned:

  • 400 - Request body is incorrect
  • 403 - Forbidden
  • 404 - Form does not exist
  • 500 - Internal server error

For more information, see Error-handling-for-the-REST-API.

Notes

The entry object contains field values for all data fields to which the user has permission.

Here is a sample code to impersonate a user:

Sample code for user impersonation
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;

public class Get {
    public static void main(String[] args) throws Exception {       
    String token = args[0];
   // start HTTP GET to get an entry       
    CloseableHttpClient httpClient = HttpClients.createDefault();

    HttpGet httpGet = new HttpGet(
             
   "http://localhost:8008/api/arsys/v1/entry/User/000000000000001");
   // add the token to the header       
    httpGet.addHeader("Authorization", "AR-JWT" + token);
    String impersonatedUserName = "Demo2";
     
    httpGet.addHeader("X-AR-Impersonated-User",                
    new String(Base64.getEncoder().encode(impersonatedUserName.getBytes(StandardCharsets.UTF_8)),
    StandardCharsets.UTF_8));


   // make the call and print the status
      
  try
   (CloseableHttpResponse response = httpClient.execute(httpGet)) {
         
   HttpEntity entity = response.getEntity();
         
   String jsonEntry = EntityUtils.toString(entity, StandardCharsets.UTF_8);
         
   System.out.println(jsonEntry);


     
}
    }
}

You can also use the script as described in the TestHttpClient - Command line tool to test HTTP(S) services article on BMC Communities.

The AR API log describes which user is impersonating another user. In the following example, the user Demo 2 is impersonated by user Demo:

AR API logs for user impersonation
<API > <TrID: svErZYSGQBO89IWpSQuPJQ:0000001>
<TID: 0000000427> <RPC ID: 0000000868> <Queue:
Fast      > <Client-RPC: 390620   >
<USER: Demo2 -- Impersonated by Demo
--             >
<Overlay-Group: 0         > /*
Mon Dec 21 2020 16:06:47.1010 */ +GE     
ARGetEntry -- schema User entryId 000000000000001 from Unidentified Client
(protocol 19) at IP address 10.135.36.67 using REST // :q:0.0s null

<API > <TrID: svErZYSGQBO89IWpSQuPJQ:0000001>
<TID: 0000000427> <RPC ID: 0000000868> <Queue:
Fast      > <Client-RPC: 390620   >
<USER: Demo2 -- Impersonated by Demo
--             >
<Overlay-Group: 0         >
/* Mon Dec 21 2020 16:06:47.1060 */ -GE              
OK

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*