API permission with read-only

Avatar

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252
ursboller
MVP

13-08-2017

by default, every user group with "web service access" has full admin rights on the selected report suites. there is no way to reduce the permissions to "read-only" on report suite settings.

improvement:

the "web service access" should only trigger, if a user group is allowed to use the API credentials. the single permissions to read/edit/delete anything within report suites should be based on other permissions (eg. the existing options for user management)

13 Comments (13 New)
13 Comments

Avatar

Avatar

Gigazelle

Employee

Total Posts

1.9K

Likes

460

Correct Answer

734

Avatar

Gigazelle

Employee

Total Posts

1.9K

Likes

460

Correct Answer

734
Gigazelle
Employee

14-08-2017

When editing permission groups, there are two checkboxes within Analytics Tools:

Permissions (Read) - Web Services

Permissions (Write) - Web Services

These should be exactly what you're looking for.

Avatar

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252
ursboller
MVP

14-08-2017

Gigazelle​ i set up a new user group and did NOT check any of those two boxes - only the "web service access". the user in this group was able to change RS Settings!

Avatar

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252
ursboller
MVP

29-08-2017

hi Gigazelle

i made some testing together with adobe consultant.

1) set up new user group with only "web service access" and access to 1 report suite - no other rights!

2) added a user to this group (user has no other rights than access to user group from 1)

3) try to add a new prop => successful:

1288201_pastedImage_2.png

4) check in RS-Settings => new prop available:

1288298_pastedImage_3.png

5) try to disable the new created prop (same request as above, but "enabled" = "false" => successful. Check in RS settings:

1288299_pastedImage_4.png

Avatar

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252
ursboller
MVP

29-08-2017

test as above with new user group and the following group rights

a) "web service access"

b) "Permission (Read) - Web Services"

1) Try to add a new prop => successful!

1288300_pastedImage_0.png

1288301_pastedImage_1.png

2) "disable" new created prop => successful:

1288302_pastedImage_2.png

Avatar

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252
ursboller
MVP

29-08-2017

next test: only access with right "Permission (Read) - Web Service"

1) try to add new prop => not successful!

1288307_pastedImage_2.png

ok, that is great!

2) try to create a report over API - no permissions:

1288308_pastedImage_3.png

Avatar

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252
ursboller
MVP

29-08-2017

which permissions do i have to set if i want to allow a user to access report data over API but he shouldn't be allowed to change anything at the report suite settings?

Avatar

Avatar

andrew_r-GrfLbX

Avatar

andrew_r-GrfLbX

andrew_r-GrfLbX

30-08-2017

This seems like a very gaping and worrying hole in the security of the API I can’t believe that it’s possible for any user to modify admin settings via web services API. May need to cancel an entire project based around the API now...

Avatar

Avatar

ChrisS_ws

Employee

Avatar

ChrisS_ws

Employee

ChrisS_ws
Employee

30-08-2017

'Permissions (Read) - Web Services' and 'Permissions (Write) - Web Services' actually refer to the ability to run certain API requests. For example, if you were to run Permissions.SaveGroup (SaveGroup | Adobe Developer Connection ), you would need 'Permissions (Write) - Web Services'. To run something like Permissions.GetGroup (GetGroup | Adobe Developer Connection ), you would only need 'Permissions (Read) - Web Services'.

Both of these permissions added to groups are only applicable to the Permissions.* API methods.

Avatar

Avatar

ChrisS_ws

Employee

Avatar

ChrisS_ws

Employee

ChrisS_ws
Employee

30-08-2017

Access to the API is limited to users in a group that contains the 'web service access' permission. Also, depending on the type of project you are doing, you can use Oauth 2 (OAuth 2 Authentication | Adobe Developer Connection ) to limit the scope of what users can do with your project.

Avatar

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252

Avatar

ursboller

MVP

Total Posts

1.0K

Likes

486

Correct Answer

252
ursboller
MVP

01-09-2017

there are a lot of tools which use the API credentials "out of the box" (observepoint, alarmdack/slack, ...).

OAuth2 is only an option, if the external provider offers the service. since API is more common and used a lot i hope forna better permission management....