A functional ID system_fh_wm can start or read a job system_fh_wm via command,

system_fh_wm
12/07/2021 10:51:31
CAUAJM_I_50152 Sendevent issued.

  eoid: C1Pz12434546
  job_name: glbone-test
  command: sendevent "-E" "FORCE_STARTJOB" "-J" "glbone-test"

but when the ID tries to read the job via WebServices, there is no error message, and we check the return status, it is 0.

curl -X GET -u "system_fh_wm:PASSWORD" -H "Accept: application/json" -H "Content-Type: application/json" https://waae.ws.prd.cloud1.cibc.com:8443/AEWS/job/glbone-test

C:\Users\hung\Documents\downloads\CIBC-AEWS-User-Guide\userguide-curl>echo %ERRORLEVEL%
0

I start the job via WebService at 11:30am

curl -X POST -u "system_fh_wm:q7GMeJP1k2YXdCb" -H "Accept: application/json" -H "Content-Type: application/json" -d "{\"jobName\": \"glbone-test\"}" https://waae.ws.prd.cloud1.cibc.com:8443/AEWS/event/force-start-job

C:\Users\hung\Documents\downloads\CIBC-AEWS-User-Guide\userguide-curl>echo %ERRORLEVEL%

Check the Job status via command line, the job wasn't started.

I validated the ID, it is in WorkloadAutomationAEWebService group

Release : 11.3.6

Component : CA Workload Automation AE (AutoSys)

If you provide a 
bad job name you should see 404
bad id and/or password 401, 
wrong host or port connection refused or unknown host or lack permissions you should see 403

In this case the client's id lacked permissions to the as-machine policies that were matching the machines for the jobs they were attempting to issue start jobs against.

NOTE - Additionally, the clients webserver was restarted during troubleshooting and that alone allowed the request to pass thru a security check that earlier had failed.
So, the webserver might have also been working off an older cached copy of the policies thus denying access to something that the current policies in EEM were supposed to be granting.