Service level ACL issue for child service


I have a requirement to invoke a flow service from an application using user credentials.The main service is using pub.remote:invoke as child service.
I have created a user, group & custom ACL and added the user to the group and group to the custom ACL. Also I have assigned the custom ACL as Execute ACL to main service.
When I am running the service from browser it is throwing access denied error while trying to invoke the child service pub.remote:invoke.
The service works fine if I add the user to Administrator group. But then the user is having Admin access.

Is there any way I can provide only service level access to execute this service?

Hello Rajesh,

What is Execute ACL set for remote server alias which you are using in pub.remote:incoke?
I believe it is Administrator. Can you please check once ?

You need to change that also.


For the Remote Server Alias you should select ACL Internal.

Additionally you should check if the service pub.remote:invoke is in the allowed services list of the selected port.


Thanks for the reply guys.

@Yogesh: I have tried changing the Execute ACL for remote server alias to Internal but still I am getting same error.

@Holger: I am invoking the service from primary port where Access mode is Allow for all services and folder.

I think I am able to invoke main service because the customuser is part of customgroup and apparently customACL. The Execute ACL on main service is customACL so it is working if I use any service other than pub.remote:invoke.
In case the child service is pub.remote:invoke it needs user to be part of Internal or Administrator ACL.
TestCase.docx (341 KB)