When using the Assets REST API, if a user does not have a Jira Service Management license the server returns a HTTP 401 instead of a 403 error

Issue Summary

This was specifically tested with the Jira Service Management Assets Cloud REST API Post object navlist aql endpoint, however other endpoints may be impacted.

In order to interact with Assets via the REST API, a user needs to have a Jira Service Management license. However in this case, an incorrect error code is returned.

HTTP 401 Unauthorized should be used when the authentication with the server fails (reference Mozilla documentation on 401 errors).

HTTP 403 Forbidden should be returned if the user's credentials (in this context email address and Atlassian API token) have been authenticated, however the user does not have permission to make the request, such as they do not have a license (reference Mozilla documentation on 403 errors).

Steps to Reproduce

1. Create an Assets Schema and configure a test Object Type and Object within the Schema
2. Create an Atlassian API token (see instructions on how to do this) for an account
3. Revoke or ensure the user does not have a Jira Service Management license
4. Using the documentation to retrieve Objects via an AQL query (https://developer.atlassian.com/cloud/assets/rest/api-group-object/#api-object-navlist-aql-post) post a request to Assets

Expected Results

Since in the above scenario the user does not have a Jira Service Management license, I'd expect a HTTP 403 response to be returned, indicating the authentication worked but they did not have permission to access Assets over the REST API.

Actual Results

A HTTP 401 response is returned instead. This can lead to confusion when troubleshooting issues with accessing Assets via REST API.

Workaround

Ensuring the user has the necessary license and Assets roles should mitigate permission issues when working with the REST API.