PAT Requirements for updating a users sg_status_list

During the ID migration I thought I had received some information on how a PAT is required to be configured in order to change a user’s sg_status_list to be ‘Active’, even if you’re using an API key with full permissions, but Google isn’t turning anything up.

Can anyone here help confirm if a PAT needs to be configured for the specific user where the sg_status_list needs to be updated via (API+Script Key) or if a PAT just needs to be configured for any admin who would have permission to change that user’s sg_status_list value? Perhaps I’m mis-remembering and this isn’t actually a requirement.

Hi @saclar

The relevant FAQ point is this one : Help

You will not be able to set the sg_status_list to act using an API Script, even if you use sudo_as_login and try to use that user to activate the user. In order to activate a user (or create a new user in an activated state), you need to connect to ShotGrid with an admin user that has a Personal Access Token set.

Only the transition to an act state is impacted by that constraint.

API Scripts do not use Personal Access Tokens. When using the sudo_as_login, the targeted user does not need a Personal Access Token.


Thank you Patrick

I heard from a colleague that Admins that use Autodesk’s Enterprise SSO to connect are unable to authenticate for use of the ShotGrid API. Are you familiar with this constraint? Are admins no longer able to authenticate as themselves when using a Script Key for API access? Is there any other methodology for an Admin to access the API that would allow them to change a user’s sg_status_list to act?

The reason I’m inquiring is that we have an internal tool which is used to provision and revoke access to software tools and I’m doing some initial exploration on how we’ll use the tool to Create users in SG, Assign/Remove the users to projects, Activate/Disable users, and set permission roles

Hi @saclar

Please have that colleague post the details in this thread. The fact that Enterprise SSO is used with Autodesk Identity has no influence on being able to connect with the API.

The requirements are the same : they need to setup a Personal Access Token.

With the ShotGrid-based SSO, it was indeed not possible to authenticate to ShotGrid with a username/password pair, as ShotGrid could not contact the IdP to validate the credentials. With Autodesk Identity and the use of a Personal Access Token, that is no longer an issue.

I admit at being confused by the sentence Are admins no longer able to authenticate as themselves when using a Script Key for API access. Script Names/API Keys are distinct from users. A script can have admin rights, but it is not a HumanUser. And a HumanUser cannot authenticate with a Script Name/API Key.

From your description, I see 2 options:

  • change the authentication of your internal tool to use a Human User credential to authenticate, so that it can enable/create users, or
  • change your script so that it creates disabled users. Leaving the flipping of the state from inactive to active to one of the site’s ShotGrid admin.