HVAccessDeniedException

Jun 4, 2013 at 9:27 PM
I've created my AppID and it seems to be authenticating, but when I try to post something, it gives me HVAccessDeniedException.

I've modified the permissions to allow crud - but it's acting as if I don't have the ability to read or write. I've noticed someone say they had to 'restart' the application, but I'm calling it from eclipse and have restarted it many times. Is there anything else I need to do to get the permissions?

It would also be really nice to see the error in a more legible way. I think I'm getting error number 11?

Can you help?

Greg
Coordinator
Jun 11, 2013 at 11:19 PM
What method are you calling when you get the error? Have you authorized a record for your application?
Jun 12, 2013 at 5:32 PM
I was just causing the get weight sample program. I do not think that my record is authorized, although I have Added the app.

I think I'm missing a step.

This is what we did:

1) created an AppID
2) altered the sample app with the weight thing in it to use that app id versus the wildcat appid
3) generated the GUID with the appid, alias, question and answer
4) type all that into the patient register page
5) linked it to that user
6) Looking in the app for activity - nothing shows up, although in wildcat you can see where it authorized a record.

There also seems to be some sort of delay between when I configure the app for read access (for example) to vitals and when that seems to work? I removed the app from the user, then re-added it to see if I missed a step or maybe the order was wrong. and now I can't see the records I could see before.

:(

What am I getting wrong?
Coordinator
Jun 12, 2013 at 6:56 PM
Hi,

I'm sort of following you. It sounds like you created your own AppId at https://config.healthvault-ppe.com. That's awesome.

It sounds like you want to run one of the sample apps with your AppId. Which one? The one under examples/ui-jaxb? In order to do that you need to make two changes.
  1. edit src/main/resources/hv-application.properties and set app.id=<your app-id>
  2. ensure your private key is in src/main/resources/keystore. You can find those instructions here: https://healthvaultjavalib.codeplex.com/wikipage?title=Getting%20Started under "Private Key".
What I'm confused about is when you get to your step 3) where you generate a GUID with the appid, alias, question and answer. Are you trying to do patient connect? I'm not sure why, especially if you are trying to use the sample application. Can you elaborate on that?

--Rob
Jun 12, 2013 at 7:13 PM
Rob - thanks for the quick responses - I can see by the answers here that you are 'the man' so I'm very excited. :)

Yeah, I'm pretty sure I got the keystore and all of that right because I'm not getting the HVException any more.. :)

Step 3, well, We are going to need a patient connect model and I'm working through the sample code to try to build what we need. We actually do have a service running that will generate a GUID, given the question and answer (and of course we send the AppID). I can see that we get added OK, but I don't seem to have access (read or write...) The way I understand the GUID is that it links any logged in user if they correctly answer the secret question and answer to the AppID that we generated the GUID with.

For some reason the way it looks is that I'm able to add people without any privs and now I can't delete them. if you look at the user: pranav_kurbetti@yahoo.com or Greg Eoyang (not sure what kind of access you have to the PPE? you can see this. I think this comes from changing the prives of the AppID once it's already in use or something like that?

We would like to be able to have people send a secret question and answer to our interface - which then will generate a GUID and send it via email to them, which is already working (I think...), then they go to the patientwelcome.aspx page and complete the link by selecting the right person from their account.

The link works, but the app can't read anything through the link.

Greg.
Coordinator
Jun 12, 2013 at 8:02 PM
Hi Greg,

Cool. You are pretty far. When a user accepts a patient connect request at HealthVault, a few things happen. The user might have needed to create a HealthVault account, they will authorize your application, and the accepted connect request will become available through the method GetAuthorizedConnectRequests.

The part left for your application is to read the Authorized Connect Requests, discover the person-id and record-id, and map that to a user in your system through the external-id in the request.

With the person-id and record-id your application can make offline calls (basically just using the person-id instead of an access token). In order to do that, your application needs to be provisioned with offline rules. If you look in the app configuration center, there are online as well as offline rules. Be sure you add offline rules.

When you make changes to your permissions in app configuration center, it may take up to 20 minutes to propagate. That's a bummer, I know. Any existing users will also need to reauthorize your application to accept the new permissions. You can get them to reauthorize via a new connect request if you want.

Let me know how it goes.

--Rob
Jun 12, 2013 at 9:50 PM
Rob,

Rob,

I think we've pretty much got that too, this is what I see coming from our server, here's one of our registered users! :) I think it's mostly the 20 minute thing and the fact that we need to have our AppID on the production side so I can see all my data. I can't really get them to do a new connect because it knows they are already connected and they remove all access button is grayed out. Do you know how to fix that? do you guys have admin access to kill that link?


<person-id>3785d109-2d84-441d-9baa-b9bf37f832a3</person-id><name>Greg Eoyang</name><selected-record-id>020ff74f-4bb6-44d5-b7a5-cee2ce7dc3c0</selected-record-id><record id="020ff74f-4bb6-44d5-b7a5-cee2ce7dc3c0" record-custodian="true" rel-type="1" rel-name="Self" auth-expires="9999-12-31T23:59:59.999Z" display-name="Greg" state="Active" date-created="2013-06-12T18:15:18.073Z" max-size-bytes="4294967296" size-bytes="1041" app-record-auth-action="NoActionRequired" app-specific-record-id="242005" location-country="US" date-updated="2013-06-12T18:15:46.313Z">Greg Eoyang</record><preferred-culture><language>en-US</language></preferred-culture><preferred-uiculture><language>en-US</language></preferred-uiculture><location><country>US</country></location></person-info><person-info>

<person-id>beb76296-2a21-4c50-9fc3-125c0a546517</person-id><name>Persistent2 test</name><selected-record-id>8cf28106-522b-49bd-a951-12bc70999d9d</selected-record-id><record id="8cf28106-522b-49bd-a951-12bc70999d9d" record-custodian="true" rel-type="1" rel-name="Self" auth-expires="9999-12-31T23:59:59.999Z" display-name="Persistent2" state="Active" date-created="2013-05-31T11:40:38.45Z" max-size-bytes="4294967296" size-bytes="1002" app-record-auth-action="NoActionRequired" app-specific-record-id="241122" location-country="US" date-updated="2013-06-04T06:31:39.073Z">Persistent2 test</record><preferred-culture><language>en-GB</language></preferred-culture><preferred-uiculture><language>en-GB</language></preferred-uiculture><location><country>US</country></location></person-info>
Coordinator
Jun 12, 2013 at 11:33 PM
Those users have fully authorized the application as shown by "app-record-auth-action="NoActionRequired". If the application had changed its permission set to include new types or permissions, the status would be listed as ReauthorizationRequired.

You application does not appear to have ONLINE permission to create whatever thing you are trying to create. It looks like you make some calls offline and some calls online. Is that correct? Do you have a web front end and some backend processing? Be sure to re-check the online AND offline rules in the Application Configuration Center.

I'm not sure what you mean when you say, "I can't really get them to do a new connect because it knows they are already connected". Do you mean your system already knows they are connected, or HealthVault. In HealthVault's case, you can simply enter the same PatientConnect code and reauthorize the same record. You can create a new code too, if you'd like.

--Rob
Jun 13, 2013 at 4:28 PM

Rob - we are still trying to figure out an elegant way to get the personID and recordID. I think the way to do it is to write our own linking tool, basically our own version of https://account.healthvault-ppe.com/patientwelcome.aspx, step #4.


If we write that we can return the patientID and RecordID, I think? But we don't see any sample code or a template for that. Is there anything out there?


Below is the process to generate the personId.

1. WELL app sends secret question, answer, friendlyname and externalID to HV.

2. HV generates a 20 digit identity token, which is sent to the user.

3. User logs in HV site enters this identity token, approves the WELL app to access his health data.

The problem we face is that there is no API to get personId given an identity token.

We need this since step 2 and 3 happen on different systems and there is no way for us to get the personId based on information we have.

Currently we are iterating through list of AuthorisedPerson and match the last name to find the person, but this is not right.

We feel that there should be an API in HV that we are missing, which returns personID given some identifier that WELL is aware of. (i.e. either external ID or identity token)

While traversing through documentation we had seen there is an API in .NET called getAlternateIds(), not sure if it returned the personID, but this API is not present in JAVA sdk.

Thanks for your help!


-Greg



Coordinator
Jun 13, 2013 at 6:31 PM
Edited Jun 13, 2013 at 8:16 PM
Hi Greg,

The idea was that when you create the connect request, you pass in an identifier from your system as the "external-id". When you call GetAuthorizedConnectRequests, you will receive the HV person-id, record-id and your external-id. You can then use the external-id to map the HV record to your system. Your system should then store the person-id, record-id pair and use it when interacting the HV for your user.

As an aside, I haven't published a new Java release in a while but the trunk of the code base has updated methods and types. You should feel free to download that and use it if you find something you need there. I should be publishing another release here shortly. The trunk is always kept in working order.

--Rob
Jul 25, 2013 at 9:14 PM
Rob,

I'm trying to do this, as you recommended, but I'm still getting HVAccessDeniedException 11.

Am I missing something else? Exactly which priv do I need to set in my offline setting to make sure I can run this?

TIA,

Greg
        GetAuthorizedConnectRequestsRequest authRequest = new  GetAuthorizedConnectRequestsRequest();
    authRequest.setAuthorizedConnectRequestsSince(mydate);
        GetAuthorizedConnectRequestsResponse authResponse = (GetAuthorizedConnectRequestsResponse) requestTemplate.makeRequest(authRequest);
        List<ConnectRequest> reqList = authResponse.getConnectRequest();
        for (ConnectRequest req: reqList){
            System.out.println("personId>>>" + req.getPersonId());
            System.out.println("appid>>>" +req.getAppId());
            System.out.println("external id>>>" +req.getExternalId());
            System.out.println("record id>>>" +req.getRecordId());
            System.out.println("-----------------------------------------");
        }

        System.out.println("done");
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Jul 26, 2013 at 6:41 AM
Rob,

I think we/I figured it out. I think we were populating the requestTemplate with recordId and PersonId from the other method and that was making this method crash. It wasn't a very helpful error, but I was running it in debug mode and couldn't figure out why or how the personId and recordId got populated. So as soon as I killed that it seems to be working.

We are going to migrate to EC2 now and we'll let you know if it works from there.

Thanks,
Greg
Aug 7, 2013 at 6:50 PM
hi robmay, i was trying to run the android weighter sample under the android\examples\weighter. i was able to run it with the default app-id, but now after i created my own app-id, clicking the connect button gives me this error:
The application doesn't have permission to call the specified method.
what am i doing wrong, can you explain, Thanks
Coordinator
Aug 7, 2013 at 11:06 PM
Hi,

When creating the application, did you click "SODA" or "Web" under application type? The default is "Web". For Android, you will need to select "Soda".
Aug 8, 2013 at 2:26 AM
Hi robmay, when i created the soda application all i can do is view my details in a web view, after login it doesnt open the weightactivity intent. Is there some settings in the application configuration portal that i need to do?