+3Hi all,
Is it possible to limit the access to OData API apart from the rights (insert/copy/delete/update) on a table given in the SF?
Since we do not want every user / user group to have access to the OData API, we would like to limit certain users / user groups.
Thanks in advance.
Best answer by Bas
I think the answer your looking for it the a data authorization prefilter.
https://docs.thinkwisesoftware.com/docs/sf/subjects_data#access-control
This is a filter that is assigned to a role that can't be disabled by the user. This way your in control of the data a specific role can access.
+3I think the answer your looking for it the a data authorization prefilter.
https://docs.thinkwisesoftware.com/docs/sf/subjects_data#access-control
This is a filter that is assigned to a role that can't be disabled by the user. This way your in control of the data a specific role can access.
+3Thanks for your response. I think this is what we were looking for!
+3On further notice, we do have some additional questions.
The data authorization preftiler does work and help with the problem we have, but it does not solve the problem. Therefore, we were wondering if it were possible to limit/ disable a role from accessing the API? In other words, is it possible to turn off the access to the API?
Thanks in advance
+5Hi Mark, this is not quite possible.
The API is not only directly accessible but is also used by the GUI. So it is not possible to grant access to subjects without granting access to this subject via the API as well.
However, previous generations of GUI’s do not use this API so - If you are not using Universal:
You can set up two applications in IAM that use the same model version and the same database. Give them different application aliases, (e.g. appl_ui and appl_api).
You can grant all the regular access to the UI in appl_ui. And grant only specific roles to specific user groups for the API in appl_api. Ensure the users with access to appl_api do not have any granted menus in this application, just crud rights to entities. This will prevent this application from showing up in the GUI.
You can set up a firewall or routing rules to block all acces to /indicium/iam/appl_ui/ and only allow calls on /indicium/iam/appl_api/. This way, you can control which entities are available to which users via the api using the regular role-based access control in IAM.
Note that you’ll have to revise this solution if you plan on using Universal.
+12+3Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
