Limit access to the API

I'm gonna try asking this question a third time:

Is there a way to limit the access to the API?

@mekindad

Markus's solution works....

• I created 2 x Scripts (CCC_TestScript_A and CCC_TestScript_B) both with a single public function:

Public Function CCC_TestScriptA () As String
	Return "This is CCC_TestScriptA"
End Function

• I created 2 x Groups (CCC_TestAPIGroup_A and CCC_TestAPIGroup_B)
• I added the 2 Groups to the Common_StartScripts program function
• I created 2 x Program Functions (CCC_TestFunction_A and CCC_TestFunction_B)
• I added each associated Group to it's Program Function (i.e. CCC_TestAPI_Group_A => CCC_TestFunction_A)
• I added each associated Script to it's Program Function (i.e. CCC_TestScript_A => CCC_TestFunction_A)
• I created 2 x system users (cccAPIUserA and cccAPIUserB)
• I added each user to it's associated group (i.e. cccAPIUserA => CCC_TestAPI_Group_A)

Then I ran this PowerShell to validate the security:

$authdata = @{AuthString="Module=DialogUser;User=cccAPIUserA;Password=******"}
$authJson = ConvertTo-Json $authdata -Depth 2

Invoke-RestMethod -Uri "https://******/AppServer/auth/apphost" -Body $authJson.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable wsession

$body = @{} | ConvertTo-Json

$result = (Invoke-RestMethod -Uri "https://******/AppServer/api/script/CCC_TestScriptA" -WebSession $wsession -Method Put -Body $body -ContentType application/json).result
Write-Host $result.ToString()
Clear-Variable result

$result = (Invoke-RestMethod -Uri "https://******/AppServer/api/script/CCC_TestScriptB" -WebSession $wsession -Method Put -Body $body -ContentType application/json).result
Write-Host $result.ToString()
Clear-Variable result

$result = (Invoke-RestMethod -Uri "https://******/AppServer/api/script/QER_GetWebBaseURL" -WebSession $wsession -Method Put -Body $body -ContentType application/json).result
Write-Host $result.ToString()
Clear-Variable result

Invoke-RestMethod -Uri "https://******/AppServer/auth/logout" -WebSession $wsession -Method Post

I correctly received:

1. This is CCC_TestScriptA
2. Invoke-RestMethod : {"responseStatus":{"message":"You are not authorized to run this method."},"errorString":"You are not authorized to run this method.","exceptions":[{"number":810323,"message":"You are not authorized to run this method."}]}
3. Invoke-RestMethod : {"responseStatus":{"message":"You are not authorized to run this method."},"errorString":"You are not authorized to run this method.","exceptions":[{"number":810323,"message":"You are not authorized to run this method."}]}

Showing that it doesn't have access to every script function (e.g. QER_GetWebBaseURL) but only the one assigned to it through the group (i.e. CCC_TestScriptA)

Thanks for taking the time for this, Ben!

Thanks Ben!

What I had forgotten was that each permission Group also needed to have Common_StartScripts program function.

The thing to consider however is that depending on what the actual script then does, you also need to give that permission Group View/Edit/Insert-rights for all columns in resepctive tables that the actual script works with.

And by giving that permission to Insert and Edit because of the script means that regular" api-calls (i.e. /entity/Person/..) will be allowed by that system user.

So, it is okay to change an object via a script but not directly? Sounds weird to me.

If you are want to ensure that you can only call a script, and assuming that you do not need any result, you could fire events in your scripts using a parameter collection to update the objects via the Job Service instead of directly in the script.

So, it is okay to change an object via a script but not directly? Sounds weird to me.

If you are want to ensure that you can only call a script, and assuming that you do not need any result, you could fire events in your scripts using a parameter collection to update the objects via the Job Service instead of directly in the script.