Solved

How to limit API access

M
Rank
Userlevel 4
Badge +1

Hi all,

 

Is it possible to limit the access to OData API apart from the rights (insert/copy/delete/update) on a table given in the SF? 

Since we do not want every user /  user group to have access to the OData API, we would like to limit certain users / user groups. 

 

Thanks in advance.

icon

Best answer by Bas 7 June 2022, 08:51

View original
This topic has been closed for comments

6 replies

Bas
Rank
Userlevel 1
Badge +3

I think the answer your looking for it the a data authorization prefilter.

https://docs.thinkwisesoftware.com/docs/sf/subjects_data#access-control

This is a filter that is assigned to a role that can't be disabled by the user. This way your in control of the data a specific role can access.

M
Rank
Userlevel 4
Badge +1

Thanks for your response. I think this is what we were looking for!

M
Rank
Userlevel 4
Badge +1

On further notice, we do have some additional questions.

The data authorization preftiler does work and help with the problem we have, but it does not solve the problem. Therefore, we were wondering if it were possible to limit/ disable a role from accessing the API? In other words, is it possible to turn off the access to the API? 

 

Thanks in advance

Anne Buit
Rank
Userlevel 7
Badge +5

Hi Mark, this is not quite possible.

The API is not only directly accessible but is also used by the GUI. So it is not possible to grant access to subjects without granting access to this subject via the API as well.

However, previous generations of GUI’s do not use this API so - If you are not using Universal:

You can set up two applications in IAM that use the same model version and the same database. Give them different application aliases, (e.g. appl_ui and appl_api).

You can grant all the regular access to the UI in appl_ui. And grant only specific roles to specific user groups for the API in appl_api. Ensure the users with access to appl_api do not have any granted menus in this application, just crud rights to entities. This will prevent this application from showing up in the GUI.

You can set up a firewall or routing rules to block all acces to /indicium/iam/appl_ui/ and only allow calls on /indicium/iam/appl_api/. This way, you can control which entities are available to which users via the api using the regular role-based access control in IAM.

Note that you’ll have to revise this solution if you plan on using Universal.

A
Rank
Userlevel 6
Badge +10

@Mark Leunissen May I ask why you want to limit this? If users have access to the data through a GUI, why not through other means? (I could come up with some reasons, but curious about your case)

@Anne Buit Isn’t there an easier way to do this? Allowing traffic to Indicium from the (Universal) GUI server location only for instance?

M
Rank
Userlevel 4
Badge +1

@Arie V We don't have an actual use case at the moment. However, we we're wondering if it were possible since there could be a reason that one would like to limit users from accessing the data through the API. 

Terms & ConditionsCookie settings