I’m currently looking into the creation of notes and attachments via a user authenticated api instance. The first thing I noticed is that users who have been addressed (To’d or Cc’d) in the note do not get SG inbox notifications. From reading other posts, this appears to be a result of event logging being disabled.
With an Script based authentication instance, this was fixed by enabling “Generate Events” on the Script entity itself. Is there any equivalent setting for users?
What are the recommended practices around user vs script authentication for tools that create notes and attachments?
On the user side there are only the inbox, follow and email notification settings.
As for your last question, this likely relies a lot on what your tool runs on.
if it standalone from Toolkit your users will need a PAT to login, if it runs on toolkit you get the login and auth for free.
Other than that, permissions and impersonation, a script has admin access (by default, you can change it) and you need to make sure to impersonate the user, vs user auth where permissions are implicit from the login.
Regarding impersonation, is there another way to do this, other than the user key in the entity data on create()?
The main issue I’m having is with note attachments. There is no way (that I’m aware of) to set the user when uploading an attachment. The end result here, is that attachments are showing up attributed to the ApiScript name, rather than the user that submitted the actual note.
sudo_as_login (str) – A user login string for the user whose permissions will be applied to all actions. Event log entries will be generated showing this user performing all actions with an additional extra meta-data parameter sudo_actual_user indicating the script or user that is actually authenticated.