Hi Avoka Community,

I'm trying to set up our CI server to deploy using the app-deploy ant task, however I am being thwarted by a HTTP 403 error.

I've read the documentation on app-deploy in the Transact SDK docs, however I must be missing something. What's the minimum set of permissions and configuration required to allow a user to call the services that underpin app-deploy?

Ideally I would have a build server user with only the permissions required to test, build, deploy - and not access any UI... not sure if this is possible though.

Thanks in advance,


    CommentAdd your comment...

    3 answers


      Hi Sean. I think you should be fine with the following permissions on the Transact Manager module:

      • Admin Directory
      • REST Application Package API
      • REST Service Definitions API
      • REST Test Center API

      I also have 

      • REST TPac API

      but you dont really need that if you dont use TPacs

      Also mind the user organisation assignment so the CI Tools user is allowed to deploy/execute service under the organisation configured in your build.properties file.

      See more at: Setup Transact SDK > Configuring Transact Manager Permissions

        CommentAdd your comment...

        The correct answer to the original post is that http 403 in most scenarios will reflect missing IP whitelisting on the TM server. Sean used a build server which wasnt allowed to chat with the TM server.

        Fixing whitelisting on the TM server resolved the issue for Sean.

        While playing further with miss-configuration of other involved assets the following error messages are present:

        • CI user not linked with proper TM organisation access  >> HTTP 404 Not Found
        • CI user missing proper roles/permissions  >> HTTP 403 Forbidden
        • CI user not linked with Transact Manager form space/module >> HTTP 401 Unauthorized "Account not associated with portal"
        • miss-configured or missing manager.clientCode in local transact-auth.properties file >> HTTP 404 Not Found
        • miss-configured manager.username or manager.password > HTTP 401 Unathorized "Bad credentials"
          CommentAdd your comment...

          Hi Miro,

          Thanks for your advice. I've tried that configuration but it doesn't work for me. Here's an extract from the error message I receive:

          [app-deploy] Http client: created.
          [app-deploy] Request: POST https://<server>/manager/secure/rest/application-package/v1/<client_code> HTTP/1.1
          [app-deploy] Response: HTTP/1.1 403 Forbidden
          [app-deploy] Response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
          [app-deploy] <html><head>
          [app-deploy] <title>403 Forbidden</title>[app-deploy] </head><body>
          [app-deploy] <h1>Forbidden</h1>
          [app-deploy] <p>You don't have permission to access /manager/secure/rest/application-package/v1/<client_code>
          [app-deploy] on this server.</p>
          1. Miroslav Botka

            As part of the debugging try

            • to enable global org access on the CI user account. That will be required if you need to deploy global services.
            • assign the user to the Transact Manager module
          2. Sean Colyer

            I've enabled global org access. It doesn't fix the issue.

            How do I assign the user to the Transact Manager module?

          3. Miroslav Botka

            User Account details > spaces > Add Transact Manager to the list of spaces on the right side

            sorry it is a bit confusing, Transact Manager is just "another space" re this sort of config even though in the menu its under the System > Modules Config

          4. Miroslav Botka

            btw this is how I configured the transact-auth.properties file (try to use the same URL patter - no end backslash)

          5. Sean Colyer

            Thanks Miro. I didn't have that space configured, but adding it still doesn't resolve the 403 error.

          CommentAdd your comment...