API permission with read-only

When editing permission groups, there are two checkboxes within Analytics Tools:

Permissions (Read) - Web Services

Permissions (Write) - Web Services

These should be exactly what you're looking for.

Gigazelle​ i set up a new user group and did NOT check any of those two boxes - only the "web service access". the user in this group was able to change RS Settings!

hi Gigazelle​

i made some testing together with adobe consultant.

1) set up new user group with only "web service access" and access to 1 report suite - no other rights!

2) added a user to this group (user has no other rights than access to user group from 1)

3) try to add a new prop => successful:

4) check in RS-Settings => new prop available:

5) try to disable the new created prop (same request as above, but "enabled" = "false" => successful. Check in RS settings:

test as above with new user group and the following group rights

a) "web service access"

b) "Permission (Read) - Web Services"

1) Try to add a new prop => successful!

2) "disable" new created prop => successful:

next test: only access with right "Permission (Read) - Web Service"

1) try to add new prop => not successful!

ok, that is great!

2) try to create a report over API - no permissions:

which permissions do i have to set if i want to allow a user to access report data over API but he shouldn't be allowed to change anything at the report suite settings?

This seems like a very gaping and worrying hole in the security of the API I can’t believe that it’s possible for any user to modify admin settings via web services API. May need to cancel an entire project based around the API now...

'Permissions (Read) - Web Services' and 'Permissions (Write) - Web Services' actually refer to the ability to run certain API requests. For example, if you were to run Permissions.SaveGroup (SaveGroup | Adobe Developer Connection ), you would need 'Permissions (Write) - Web Services'. To run something like Permissions.GetGroup (GetGroup | Adobe Developer Connection ), you would only need 'Permissions (Read) - Web Services'.

Both of these permissions added to groups are only applicable to the Permissions.* API methods.

Access to the API is limited to users in a group that contains the 'web service access' permission. Also, depending on the type of project you are doing, you can use Oauth 2 (OAuth 2 Authentication | Adobe Developer Connection ) to limit the scope of what users can do with your project.

there are a lot of tools which use the API credentials "out of the box" (observepoint, alarmdack/slack, ...).

OAuth2 is only an option, if the external provider offers the service. since API is more common and used a lot i hope forna better permission management....