I think the answer your looking for it the a data authorization prefilter.
https://docs.thinkwisesoftware.com/docs/sf/subjects_data#access-control
This is a filter that is assigned to a role that can't be disabled by the user. This way your in control of the data a specific role can access.
Thanks for your response. I think this is what we were looking for!
On further notice, we do have some additional questions.
The data authorization preftiler does work and help with the problem we have, but it does not solve the problem. Therefore, we were wondering if it were possible to limit/ disable a role from accessing the API? In other words, is it possible to turn off the access to the API?
Thanks in advance
Hi Mark, this is not quite possible.
The API is not only directly accessible but is also used by the GUI. So it is not possible to grant access to subjects without granting access to this subject via the API as well.
However, previous generations of GUI’s do not use this API so - If you are not using Universal:
You can set up two applications in IAM that use the same model version and the same database. Give them different application aliases, (e.g. appl_ui and appl_api).
You can grant all the regular access to the UI in appl_ui. And grant only specific roles to specific user groups for the API in appl_api. Ensure the users with access to appl_api do not have any granted menus in this application, just crud rights to entities. This will prevent this application from showing up in the GUI.
You can set up a firewall or routing rules to block all acces to /indicium/iam/appl_ui/
and only allow calls on /indicium/iam/appl_api/
. This way, you can control which entities are available to which users via the api using the regular role-based access control in IAM.
Note that you’ll have to revise this solution if you plan on using Universal.
@Mark Leunissen May I ask why you want to limit this? If users have access to the data through a GUI, why not through other means? (I could come up with some reasons, but curious about your case)
@Anne Buit Isn’t there an easier way to do this? Allowing traffic to Indicium from the (Universal) GUI server location only for instance?
@Arie V We don't have an actual use case at the moment. However, we we're wondering if it were possible since there could be a reason that one would like to limit users from accessing the data through the API.