I'm new, so apologies if any of this is annoying or in the wrong place. I'm working on a case management application for a non profit that works with the public. I'm using a nuxt front end that is using an espo installations API for case management via an express application acting as a mediator/message broker. I have a single api user set (in espo) 'gjl-csp-api', using a role that has all access ticked to maximum, though importantly it appears the create permission on the User entity is not available, even when I am authenticated as the Admin user in the EspoCRM front end (image attached). Express is using gjl-csp-api's api key and signing all requests using the HMAC method.

I have been able to invoke Create/Read/Update (Put) on the Client, Case, and Note entities (and Linking) through the espo api from express just fine, however I am getting 403 forbidden on User/Create, which I would expect since I can't apparently grant that permission in roles. I'm posting here because this thread seems to indicate that it is possible to create users via the espo API provided the POST payload is appropriate/correct. The other entities I've interacted with through the API so far return a 400 Bad Request when the post payload is missing something so that doesn't seem to be the problem in my case.

Is there a configuration option for Espo to allow user creation via api? (I'm actually going to hunt for that next).

I'm assuming I would create a new User entity via the Create endpoint like any other entity according to the docs (https://docs.espocrm.com/development/api/crud/) so that's the endpoint I'm trying to use here, Is this the correct endpoint to Create a new User using the espo API?

fwiw here's the relevant code I'm using to interface with espos api(node/express).

// espoApiFactory

const espoApiFactory = async (method, action) => {
method = method.toUpperCase();

return new Promise((resolve, reject) => {
try {
// Ensure action does not start with '/'
if (action.startsWith('/')) {
action = action.substring(1);
}

let requestURI = "/" + action;
requestURI = encodeURI(requestURI);

var string = method + ' ' + requestURI;

var b2 = createHmac('sha256', process.env.ESPO_API_SECRET)
.update(string)
.digest();

var b1 = Buffer.from(process.env.ESPO_API_KEY + ':');
var sig = Buffer.concat([b1, b2]).toString('base64');

axiosInst = axios.create({
baseURL: process.env.ESPO_BASE,
headers: {
"X-Hmac-Authorization": ' ' + sig,
"Content-Type": "application/json"
},
httpsAgent: new https.Agent({ keepAlive: true }),
})

axiosRetry(axiosInst, { retries: 3 });

resolve(axiosInst);

} catch (err) {
reject(err.message);
}
});
}​


// request
const axiosInst = await espoApiFactory("POST", "User");
axiosInst.post("User", {
userName: newUserProfile.username,
firstName: newUserProfile.firstName,
lastName: newUserProfile.lastName,
createdAt: format(new Date(), 'yyyy-MM-dd'),
emailAddress: newUserProfile.emails?.length ? newUserProfile.emails[0].value : ""
}).then(async response => { ...

​Thanks!