I have an IT Shop item:
paramTenant - Table view into AADOrganization
paramPartnerID - Table lookup into AADUser user
paramFirstName - Text field
paramLastName - Text field
I have created a on property change script (contains a lastName field as well but not relevant) on the paramPartnerID field:
If (ParameterSet("paramTenantID").Value IsNot Nothing) Then
' Dim f As ISqlFormatter = Connection.SqlFormatter' Dim acc As IEntity = Session.Source().Get("Person", ParameterSet("paramTenantID").Value)' ParameterSet("paramFirstName").Value = acc.GetValue("FirstName").String ' ParameterSet("paramFirstName").ParameterType = 0' ParameterSet("paramFirstName").IsReadOnly = True' ParameterSet("paramFirstName").IsMandatory = False' ParameterSet("paramFirstName").IsHidden = True
Dim partnerUUID As String = Convert.ToString(Value) Dim acc As IEntity = Session.Source().Get("AADUser", partnerUUID) ParameterSet("paramFirstName").value = acc.GetValue("GivenName").ToString
' ParameterSet("paramFirstName").value = partnerUUID 'ParameterSet("paramFirstName").value = "Using Partner selected First Name"
ParameterSet("paramLastName").IsReadOnly = True ParameterSet("paramLastName").IsMandatory = False' ParameterSet("paramLastName").IsHidden = True ParameterSet("paramLastName").value = "Using account selected Last name"
Else ParameterSet("paramFirstName").IsReadOnly = False ParameterSet("paramFirstName").IsMandatory = True' ParameterSet("paramFirstName").IsHidden = False
' ParameterSet("paramFirstName").value = ""
ParameterSet("paramLastName").IsReadOnly = False ParameterSet("paramLastName").IsMandatory = True' ParameterSet("paramLastName").IsHidden = False' ParameterSet("paramLastName").value = ""
End If
When I go into the IT Shop, I can select the Tenant, and the person. However, it does not show GivenName as I don't have view permissions: Azure Active Directory user accounts: Viewing permission denied for value "First name". [810024]
Looking at the log I get this:
2026-03-08 12:51:55.4705 DEBUG ( ObjectLog ) : Running script OnPropertyChanged_94b28d67_f9fa_4221_b380_9d9fc0e94e16 2026-03-08 12:51:55.4705 DEBUG ( ObjectLog ) : AADUser: Loading single entity, load type DelayedLogic 2026-03-08 12:51:55.4705 TRACE ( SqlLog ) : ClaimConnectionAsync - read write, _transaction == null 2026-03-08 12:51:55.4705 TRACE ( SqlLog ) : -- Connection 1 switched from Available to Working after comparison 2026-03-08 12:51:55.4705 TRACE ( SqlLog ) : --> existing connection 1 2026-03-08 12:51:55.4705 DEBUG ( SqlLog ) : (< 1 ms) - select AADUser.AboutMe, AADUser.AccountDisabled, AADUser.AgeGroup, AADUser.BirthDay, AADUser.BusinessPhones, AADUser.CCC_namePrefix, AADUser.CCC_SubCompany, AADUser.City, AADUser.CompanyName, AADUser.ConsentProvidedForMinor, AADUser.Country, AADUser.CreationType, AADUser.Department, AADUser.DisplayName, AADUser.EmployeeID, AADUser.ExternalUserState, AADUser.ExternalUserStateChangeDate, AADUser.FaxNumber, AADUser.ForceChangePassword, AADUser.GivenName, AADUser.HireDate, AADUser.Id, AADUser.Identities, AADUser.IdentityType, AADUser.ImAddresses, AADUser.Interests, AADUser.IsGroupAccount, AADUser.IsGroupAccount_DeniedService, AADUser.IsGroupAccount_DirectoryRole, AADUser.IsGroupAccount_Group, AADUser.IsGroupAccount_SubSku, AADUser.IsGroupAccount_UnifiedGroup, AADUser.IsNeverConnectManual, AADUser.IsPrivilegedAccount, AADUser.IsResourceAccount, AADUser.JobTitle, AADUser.LastPasswordChangeDateTime, AADUser.LegalAgeGroupClassification, AADUser.Mail, AADUser.MailNickName, AADUser.MatchPatternForMembership, AADUser.Mobile, AADUser.MySite, AADUser.NeverConnectToPerson, AADUser.ObjectKeyManager, AADUser.OfficeLocation, AADUser.OnPremImmutableId, AADUser.OnPremisesDistinguishedName, AADUser.OnPremisesDomainName, AADUser.OnPremisesExtensionAttribute1, AADUser.OnPremisesExtensionAttribute10, AADUser.OnPremisesExtensionAttribute11, AADUser.OnPremisesExtensionAttribute12, AADUser.OnPremisesExtensionAttribute13, AADUser.OnPremisesExtensionAttribute14, AADUser.OnPremisesExtensionAttribute15, AADUser.OnPremisesExtensionAttribute2, AADUser.OnPremisesExtensionAttribute3, AADUser.OnPremisesExtensionAttribute4, AADUser.OnPremisesExtensionAttribute5, AADUser.OnPremisesExtensionAttribute6, AADUser.OnPremisesExtensionAttribute7, AADUser.OnPremisesExtensionAttribute8, AADUser.OnPremisesExtensionAttribute9, AADUser.OnPremisesSAMAccountName, AADUser.OnPremisesSyncEnabled, AADUser.OnPremisesUserPrincipalName, AADUser.OnPremLastSyncDateTime, AADUser.OnPremSid, AADUser.OtherMails, AADUser.Password, AADUser.PasswordPolicies, AADUser.PastProjects, AADUser.PostalCode, AADUser.PreferredLanguage, AADUser.PreferredName, AADUser.ProxyAddresses, AADUser.Responsibilities, AADUser.RiskIndexCalculated, AADUser.Schools, AADUser.Skills, AADUser.State, AADUser.StreetAddress, AADUser.Surname, AADUser.UID_AADOrganization, AADUser.UID_AADUser, AADUser.UID_AADVerifiedDomain, AADUser.UID_DialogCountryUsage, AADUser.UID_Person, AADUser.UID_TSBAccountDef, AADUser.UID_TSBBehavior, AADUser.UNSDisplay, AADUser.UserPrincipalName, AADUser.UserType, AADUser.XDateInserted, AADUser.XDateUpdated, AADUser.XMarkedForDeletion, AADUser.XObjectKey, AADUser.XTouched, AADUser.XUserInserted, AADUser.XUserUpdated, xxxSelect.XGroupBitPattern as XSelectGroupBitPattern, xxxSelect.XGroupMask as XSelectGroupMask, xxxUpdate.XGroupBitPattern as XUpdateGroupBitPattern, xxxUpdate.XGroupMask as XUpdateGroupMask from AADUser join ( select sum(distinct(x.XGroupBitPattern)) as XGroupBitPattern, 0x4000000000000000000040000800000000 as XGroupMask, XXPrimaryKey1 from( select 6 as XGroupBitPattern, UID_AADUser as XXPrimaryKey1 from AADUser union all select 1 as XGroupBitPattern, UID_AADUser as XXPrimaryKey1 from AADUser where (exists (select top 1 1 from TSB_FTAccountsForPerson ('a6fc257d-d9ac-4dd1-95e1-6b2e519f66da') f where f.ObjectKeyAccount = AADUser.XObjectKey)) ) x group by XXPrimaryKey1 ) xxxSelect on xxxSelect.XXPrimaryKey1 = AADUser.UID_AADUser left outer join ( select sum(distinct(x.XGroupBitPattern)) as XGroupBitPattern, 0x0800000000 as XGroupMask, XXPrimaryKey1 from( select 1 as XGroupBitPattern, UID_AADUser as XXPrimaryKey1 from AADUser where (exists (select top 1 1 from TSB_FTAccountsForPerson ('a6fc257d-d9ac-4dd1-95e1-6b2e519f66da') f where f.ObjectKeyAccount = AADUser.XObjectKey)) ) x group by XXPrimaryKey1 ) xxxUpdate on xxxUpdate.XXPrimaryKey1 = AADUser.UID_AADUser where (AADUser.UID_AADUser = '5f8a7bfa-2369-4fbb-8b87-296aaaafc57c') 2026-03-08 12:51:55.4705 TRACE ( SqlLog ) : -- Connection 1 switched from Working to Available 2026-03-08 12:51:55.4705 DEBUG ( ObjectLog ) : Entity: Run statement and fetch data done in 2ms. 2026-03-08 12:51:55.4705 DEBUG ( ObjectLog ) : Loading single entity done in 3ms. 2026-03-08 12:51:55.4705 DEBUG ( ObjectLog ) : Old state: Loaded, New state: Loaded, PermissionBased 2026-03-08 12:51:55.4705 DEBUG ( ObjectLog ) : Read permission for GivenName is denied because of: Group CanSee 2026-03-08 12:51:55.4705 ERROR ( WebLog ) : An error occurred while processing the request: PUT 1idm.internal.test/.../interactive System.Exception: An error occurred while processing the request: PUT 1idm.internal.test/.../interactive ---> VI.Base.ViException: Error running script 'OnPropertyChanged_94b28d67_f9fa_4221_b380_9d9fc0e94e16'. ---> VI.Base.ViException: Azure Active Directory user accounts: Viewing permission denied for value "First name". at VI.DB.Entities.PermissionsEntityColumnBase._CheckCanSee() at VI.DB.Entities.PermissionsEntityColumnBase.GetValue() at VI.DB.Entities.EntityBase.GetRaw(String definition) at VI.DB.Entities.EntityBase.GetValue(String definition) at DynScripts.Parameters_kAhOohW33qHTi9R6SngQx4T8CiHzzM3S.OnPropertyChanged_94b28d67_f9fa_4221_b380_9d9fc0e94e16(DialogParameterSet ParameterSet, DialogParameter Parameter) --- End of inner exception stack trace --- at VI.DB.Scripting.ScriptRunner.Eval(String key, Object[] parameters) at VI.DB.DialogParameter.<>c__DisplayClass99_0.<OnSetValueAsync>b__1(DialogParameter p) at VI.DB.DialogParameter.CallBottomToTop(Action`1 action) at VI.DB.DialogParameter.OnSetValueAsync(Object value, CancellationToken cancellationToken) at VI.Base.Parameter.SetValueAsync(Object value, CancellationToken cancellationToken) at QBM.CompositionApi.Data.DialogParameterAdapter.<PutAsync>d__21.MoveNext()--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at QER.CompositionApi.ITShop.Parameter.CompositeParameterModel.<ApplyAsync>d__7.MoveNext()--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at QER.CompositionApi.ITShop.CartItemExtendedData.<ApplyAsync>d__7.MoveNext()--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at QBM.CompositionApi.Handling.Interactive.InteractiveEntityHelper.<GetAndModifyInteractiveEntityAsync>d__0.MoveNext()--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at QBM.CompositionApi.Handling.WriteInteractiveRouteProvider`1.<<CreateRoutesAsync>b__3_0>d.MoveNext()--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at QBM.CompositionApi.ApiManager.JsonResponseBuilder.InnerJsonResponseBuilder.<WriteAsync>d__5.MoveNext()--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at QBM.CompositionApi.Compression.CompressionResponseBuilder.CompressedResponse.<WriteAsync>d__4.MoveNext()--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at QBM.CompositionApi.ApiManager.MethodRequestHandler.<SendAsync>d__12.MoveNext() --- End of inner exception stack trace ---
I would have thought that if I had rights to see the Partner in the drop down list, that I would be able to query that table. Perhaps it is not a user permission, but a back-end user permission.
Any idea what permission I would need to tweak / where to even start looking?
PS: I have added to CCCViewPermission role, VI_4_ALL_USER has read permissions on AADUser and AADUser:UID_AADUser.
