Post

3 followers Follow
0
Avatar

Permissions for API user

Is there a minimum set of permissions/data access associated with API access for an integration user and is it different to what that user can see via the UI?

I am trying to create an integration user that only has access to a limited set of test data (using API keys for authentication) but when I test what projects this users can see via an API call and API key (data/entityQuery) they can see more projects than I see if I log in to the application as that user and search for all projects (we are using enhanced permissions).

I saw the recommendation that Integration users with API keys should have Admin Lite but assumed that was so various API operations would not fail unexpectedly due to lack of permissions. Seems odd that the Integration user would be able to access more data via the API than the UI

James Crollie Answered

Please sign in to leave a comment.

5 comments

0
Avatar

Hi Josh

The use case is to limit the data the API user can see using permissions (we are using enhanced permissions and user groups to manage who can see what). The plan was to do this both during development so the developers can only see test data in sandbox and in production as a secondary control on what data is made available by the API. The API user is being used as part of an API integration to send Clarizen data to our data lake for integrated reporting.

James Crollie 0 votes
Comment actions Permalink
0
Avatar

Hi James,

Could you please provide the body and the headers (excluding any keys) you're using to make the API call?

Thank you,

Roland

Roland Pumputis 0 votes
Comment actions Permalink
0
Avatar

Hi Roland

For a bunch of reasons i am having to use VBA to test this so tricky to reproduce the exact call but the code is below. The result of this was a list of projects including projects the API user did not have permissions to view in the UI

Sub GetSecretProject()

Dim objRequest As Object
Dim strUrl As String
Dim blnAsync As Boolean
Dim strResponse As StringSet objRequest = CreateObject("MSXML2.XMLHTTP")
strUrl = "https://apie.clarizentb.com/v2.0/services/data/entityQuery"
blnAsync = True

With objRequest
.Open "GET", strUrl, blnAsync
.setRequestHeader "Content-Type", "application/json"
.setRequestHeader "Authorization", "ApiKey XXXX-EnterKeyHere-XXXX"
.setRequestHeader "typeName", "Project"
.setRequestHeader "fields", "Name"
.send
'spin wheels whilst waiting for response
While objRequest.readyState <> 4
DoEvents
Wend
strResponse = .responseText
End With

Debug.Print strResponse

End Sub

 

James Crollie 0 votes
Comment actions Permalink
0
Avatar

Hello James,

I've investigated this and found that only the name of projects where I did not have permissions was returned. Other fields were not returned. 

I've discussed this with our R&D Team and they said that this is controlled by a setting on the back-end. We've enabled the setting for your organization now and you should not be able to receive even the name field if you don't have the right permissions. You will still be able to receive the ID.

This is what it should look like: 

I hope this helps.

Roland

Roland Pumputis 0 votes
Comment actions Permalink