I wrote an expression plug-in that returns a writer. Every thing has worked fin

Whenever you get an authorization error this log is the key to find out the root cause. Your log shows the following:

test.ccat.submitter,hybrid-service,com.appiancorp.suiteapi.type.TypeService.select,DENIED,,userRoles=[app-user]; rolesAllowingAction=[designer]

This indicates your user test.ccat.submitter is trying to invoke an API method com.appiancorp.suiteapi.type.TypeService.select() which cannot be executed when the user is only an Application User but not a Designer

Two solutions:

1. Re-design the plug-in so it doesn't use TypeService.select()
2. Or use an administrator context just for this particular call (TypeService.select()). The administrator user can be a service account passed via constant to your plug-in.

Note that for security reasons some API calls are restricted to Designers.

I can use secure credential store to pass the administrator user. But can you tell me how to force the administrator context instead of logged in user context ?

well I have to check if expression plugin can inject SecureCredentialStore

You don't need any credentials just the username:

ServiceContext myOtherAdminUserServiceContext= ServiceContextFactory.getServiceContext(myOtherAdminUser);
m_typeSvc = ServiceLocator.getTypeService(myOtherAdminUserServiceContext)
m_typeSvc


TypedValue oneCDTValue = m_typeSvc.select(m_mainCDTValue,                                                            cdtIndexList);

thanks a lot - this is a great learning today.

Happy to help. Hopefully that's the only API call that's failing.

Edurado - now I removed the basic user from Designers and everything is working as usual for basic user. Once again, thanks a lot.

Great news!