3 followers Follow

Permissions for API user

Is there a minimum set of permissions/data access associated with API access for an integration user and is it different to what that user can see via the UI?

I am trying to create an integration user that only has access to a limited set of test data (using API keys for authentication) but when I test what projects this users can see via an API call and API key (data/entityQuery) they can see more projects than I see if I log in to the application as that user and search for all projects (we are using enhanced permissions).

I saw the recommendation that Integration users with API keys should have Admin Lite but assumed that was so various API operations would not fail unexpectedly due to lack of permissions. Seems odd that the Integration user would be able to access more data via the API than the UI

James Crollie

Please sign in to leave a comment.



Hi Josh

The use case is to limit the data the API user can see using permissions (we are using enhanced permissions and user groups to manage who can see what). The plan was to do this both during development so the developers can only see test data in sandbox and in production as a secondary control on what data is made available by the API. The API user is being used as part of an API integration to send Clarizen data to our data lake for integrated reporting.

James Crollie 0 votes
Comment actions Permalink

Hi James,

Could you please provide the body and the headers (excluding any keys) you're using to make the API call?

Thank you,


Roland Pumputis 0 votes
Comment actions Permalink

Hi Roland

For a bunch of reasons i am having to use VBA to test this so tricky to reproduce the exact call but the code is below. The result of this was a list of projects including projects the API user did not have permissions to view in the UI

Sub GetSecretProject()

Dim objRequest As Object
Dim strUrl As String
Dim blnAsync As Boolean
Dim strResponse As StringSet objRequest = CreateObject("MSXML2.XMLHTTP")
strUrl = ""
blnAsync = True

With objRequest
.Open "GET", strUrl, blnAsync
.setRequestHeader "Content-Type", "application/json"
.setRequestHeader "Authorization", "ApiKey XXXX-EnterKeyHere-XXXX"
.setRequestHeader "typeName", "Project"
.setRequestHeader "fields", "Name"
'spin wheels whilst waiting for response
While objRequest.readyState <> 4
strResponse = .responseText
End With

Debug.Print strResponse

End Sub


James Crollie 0 votes
Comment actions Permalink