[OPENAM-15432] Oath User Devices endpoint not accessible for delegated admin Created: 12/Sep/19  Updated: 03/Apr/20  Resolved: 21/Oct/19

Status: Resolved
Project: OpenAM
Component/s: None
Affects Version/s:, 5.5.2, 7.0.0, 6.5.3
Fix Version/s: 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Robert Matthews Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is related to OPENAM-15849 An admin cannot DELETE 2fa devices ow... Resolved
Sprint: AM Sustaining Sprint 67, AM Sustaining Sprint 68
Story Points: 3
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

When using a delegated admin (full realm privileges) unable to use the devices/2fa/oath endpoint, 403 unauthorized error is returned, this worked on 6.5.2 but not on

How to reproduce the issue

  1. Setup a default AM
  2. Create a new group called admins with Realm admin privileges
  3. Create a new user and add them to the above group
  4. Login with the new user and using the API explorer try to use the  /users/devices/2fa/oath/ GET and query the demo user, or use a curl request - 

curl -X GET "" -H "accept: application/json" -H "Accept-API-Version: resource=1.0" -H "X-Requested-With: SwaggerUI"

Expected behaviour
Returns devices
Current behaviour
403 forbidden, User not authorized 

Comment by Ľubomír Mlích [ 03/Apr/20 ]

Reproduced in ForgeRock Access Management 5.5.2-RC3 Build 1becae3423 (2020-March-13 17:54) 

Verified as fixed in ForgeRock Access Management 5.5.2-RC4 Build 78cbe17649 (2020-April-02 16:06) 

Generated at Wed Nov 25 08:16:49 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.