Access to Developers | Community
Skip to main content
Horatius_Joachi
Horatius_Joachi
Level 2
July 10, 2018
Question

Access to Developers

  • July 10, 2018
  • 2 replies
  • 2922 views

Hello Nation One of my clients have hired an external developer who wants access to REST API to build integrations. To restrict access and to safeguard information we have suggested to set the Role to Access API - Read only Person. Are there any best practices that you can share while dealing which what information an external developer can have access to with pros and cons?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

SanfordWhiteman
SanfordWhiteman
Level 10
July 11, 2018

Kind of a self-defining question, isn't it?

If RO Person suffices for the project, then that's all they need.

My personal feeling is if a developer claims to not need even a temporary user (true UI user) account during a significant project, they're either supremely qualified or not really qualified. Most custom projects require more general knowledge of the instance than you can get from a tightly restricted API-only user. There are exceptions, of course, but you haven't told us what this pj is about.

    D
    DavidDe7
    Level 4
    July 17, 2018

    My general best practices would be:

    -  As Sanford mentioned, its critical to verify that person to highly qualified before being given any access.
    -  Setup a role and related permissions that will give access to only what is needed. Even Read Only has more granular options. At the role level (permissions) and at the user level (workspaces). Ex: If all that person needs is to read assets, then give RO on assets only.

    -  Setup a separate user. You need this to report on specific source of API activity (and see who might be eating all your API calls!).

    -  Use user expiration if applicable. I.e. if all you are doing is data cleaning via API and that person needs only access for a couple weeks, then set an expiration date on his user.
    -  Compliance:  If they give access to lead data, that might be a red flag for GDPR compliance as this custom solution will be considered as "data processor". Then...that's another topic altogether I guess!

    Cheers,

    David

      Terms & ConditionsAccessibility statement

      Loading footer...