I want to control the content on the Developer Portal on Azure API Management base on role user
We have the RBAC roles in Azure API Management (APIM) for giving permissions like Read-only access to services and entities of APIM, managing the developer portal of APIM.
Even we can restrict the users from the APIM Instance APIs based on User Access Control in the Products, Subscriptions Level available in the APIM Developer Portal.
Refer to this MSFT Article for more information.
Related
I like to have User-A can contribute to the API-A but doesn't have access to the API-B.
When I look at the Azure APIM Built-in roles (link below) I am noticing that the API Management Service Contributor role is defined for all APIs.
Is it possible to to define a "Service Contributor" role per API as opposed with all APIS?
If not, is there any other technique that help me to achieve the same goal
AFAIK, you can restrict the user to specific set of APIs.
1) Through Product Level where you can add the APIs and allow all APIS to the specific set of users by keeping the Scope level to Product for the users.
Created 2 different APIs in APIM Instance like the below:
Open the New APIM Developer Portal after adding the APIs and publish the APIM instance > Portal Overview under Developer Portal.
In APIM Instance > Products > Added new product "Dotnet6FunctionAPIs" - Added the Net 6 Function App APIs > Checked the options "Requires Subscription", "Requires approval" and then published the product.
4. In APIM Instance > Users - created a user and in Products > Dotnet6FunctionAPIs Product > Access control > Allowed the access to Developers group.
Login to the developer portal with the new user login credentials https://<apiminstance_name>.portal.azure-api.net/ > Products > Dotnet6FunctionAPIs product > Click on Subscribe.
Here the Admin can approve the access of that product APIs to the user and can cancel the subscription whenever admin wants to.
After Subscription approval, the user can test the API present in the product.
If you observe here, I have allowed the users (under Developer group) to the product "Dotnet6FunctionAPIs" that contains specific APIs added to it.
This is one of the ways to restrict users from not accessing the other APIs by adding only specific APIs to the product and giving that product access to the users.
Updated Answer:
As Markus told, there are 3 built-in roles in APIM. API Management Service Contributor is for CRUD access to Complete APIM Instance (all APIS & Operations) and cannot be restricted to specific APIs.
I have seen the permissions given to API Management Service Contributor built-in role. Among those permissions, I believe we need to modify at API Policy Level which is
Write (Access) - Set API policy configuration (Permissions) - Creates or updates policy configuration for the API.
We have a centralized development instance for Azure API Management Service where developers from different agencies/organization creates their Products, API and subscription. Essentially they have contributor role on resource group of APIM instance. This is a centralized shared APIM instance.
I can probably create a Custom RBAC role that allows me to edit only my API but not sure how to hide my own API and products from others.
Is there a way for developers to hide their Products and API entirely from other developers in Admin portal as well as in Developer portal?
Have you tried implementing the restriction at the product level?
Check your user list.
Create a group with by selecting the required members.
Create an product( Add required APIs) -> Go to access control -> Add a group (you may remove the Administrator group)
Is it possible, using the 3-legged authentication workflow, to determine if a user is an Autodesk contract (or software) manager using the OAuth API?
I've noticed the account:read and account:write scopes. Would this allow me to tell if a user is a contract manager?
Unfortunately, the contract info is not part of the Forge platform, and there no API support querying such data for this purpose currently. However, BIM360 Account Admin API GET users supports telling the user role in these three types:
account_admin: user has BIM 360 account administration access
account_user : normal project user
project_admin: user has Project administration privileges at a service level
And commonly, the contact manager will be the account admin of that BIM360 account. Therefore, you could use this as a workaround. Hope it helps, cheers!
Note. Account Admin API only accepts two-legged access token.
We're trying to implement a Docusign integration for a multi-tenant cloud application (i.e. https://company1.app.com, https://company2.app.com, etc...).
The goal is to allow the tenant admin (our customer) to upload envelopes containing document templates for users to sign when they first login. Each tenant admin will have their own Docusign account/envelopes.
We've implemented a solution for this; however, it requires each tenant admin to create a separate Integration key and go through the process of promoting it to a live account. This is not scalable for us and some of our tenant admins are not tech people, so they have trouble setting this up.
Is there a way to implement the Docusign integration using a single Integration key (our key), but still have tenant admins login with their own Docusign account and upload their own envelopes?
I think you are building a Docusign User Application. You should use the OAuth2 auth flows instead of creating separate Integrator key for each tentant.
A user application is a client that authenticates every end user with DocuSign. These applications are typically web services, mobile applications, or desktop programs that authenticate individual users on the DocuSign platform. Once authenticated, users give consent for the application to display, send, or sign envelopes from their account. For user applications the OAuth2 auth flows are recommended.
A key issue that you may be missing is that your Integration Key works with any account. It is associated with your account just to manage it.
So as CodingDawg says, each of your customers can use your app by logging in with their own user credentials for their own account.
My Enterprise Account in Box has some Enterprise settings, like the password policy. Can I retrieve those settings using the REST API?
Currently you can only get the settings for each individual user, not general enterprise settins:
http://developers.box.com/docs/#users-get-the-current-users-information-2