I wrote an expression plug-in that returns a writer. Every thing has worked fin

Whenever you get an authorization error this log is the key to find out the root cause. Your log shows the following:

test.ccat.submitter,hybrid-service,com.appiancorp.suiteapi.type.TypeService.select,DENIED,,userRoles=[app-user]; rolesAllowingAction=[designer]

This indicates your user test.ccat.submitter is trying to invoke an API method com.appiancorp.suiteapi.type.TypeService.select() which cannot be executed when the user is only an Application User but not a Designer

Two solutions:

1. Re-design the plug-in so it doesn't use TypeService.select()
2. Or use an administrator context just for this particular call (TypeService.select()). The administrator user can be a service account passed via constant to your plug-in.

Whenever you get an authorization error this log is the key to find out the root cause. Your log shows the following:

test.ccat.submitter,hybrid-service,com.appiancorp.suiteapi.type.TypeService.select,DENIED,,userRoles=[app-user]; rolesAllowingAction=[designer]

This indicates your user test.ccat.submitter is trying to invoke an API method com.appiancorp.suiteapi.type.TypeService.select() which cannot be executed when the user is only an Application User but not a Designer

Two solutions:

1. Re-design the plug-in so it doesn't use TypeService.select()
2. Or use an administrator context just for this particular call (TypeService.select()). The administrator user can be a service account passed via constant to your plug-in.