Adobe Analytics

Urs_Boller · 8/13/17

by default, every user group with "web service access" has full admin rights on the selected report suites. there is no way to reduce the permissions to "read-only" on report suite settings.

improvement:

the "web service access" should only trigger, if a user group is allowed to use the API credentials. the single permissions to read/edit/delete anything within report suites should be based on other permissions (eg. the existing options for user management)

Gigazelle · 8/14/17

When editing permission groups, there are two checkboxes within Analytics Tools:

Permissions (Read) - Web Services

Permissions (Write) - Web Services

These should be exactly what you're looking for.

Urs_Boller · 8/14/17

Gigazelle i set up a new user group and did NOT check any of those two boxes - only the "web service access". the user in this group was able to change RS Settings!

Urs_Boller · 8/29/17

hi Gigazelle

i made some testing together with adobe consultant.

1) set up new user group with only "web service access" and access to 1 report suite - no other rights!

2) added a user to this group (user has no other rights than access to user group from 1)

3) try to add a new prop => successful:

4) check in RS-Settings => new prop available:

5) try to disable the new created prop (same request as above, but "enabled" = "false" => successful. Check in RS settings:

Urs_Boller · 8/29/17

test as above with new user group and the following group rights

a) "web service access"

b) "Permission (Read) - Web Services"

1) Try to add a new prop => successful!

2) "disable" new created prop => successful:

Urs_Boller · 8/29/17

next test: only access with right "Permission (Read) - Web Service"

1) try to add new prop => not successful!

ok, that is great!

2) try to create a report over API - no permissions:

Urs_Boller · 8/29/17

which permissions do i have to set if i want to allow a user to access report data over API but he shouldn't be allowed to change anything at the report suite settings?

andrew_r-GrfLbX · 8/30/17

This seems like a very gaping and worrying hole in the security of the API I can’t believe that it’s possible for any user to modify admin settings via web services API. May need to cancel an entire project based around the API now...

ChrisS_ws · 8/30/17

'Permissions (Read) - Web Services' and 'Permissions (Write) - Web Services' actually refer to the ability to run certain API requests. For example, if you were to run Permissions.SaveGroup (SaveGroup | Adobe Developer Connection ), you would need 'Permissions (Write) - Web Services'. To run something like Permissions.GetGroup (GetGroup | Adobe Developer Connection ), you would only need 'Permissions (Read) - Web Services'.

Both of these permissions added to groups are only applicable to the Permissions.* API methods.

ChrisS_ws · 8/30/17

Access to the API is limited to users in a group that contains the 'web service access' permission. Also, depending on the type of project you are doing, you can use Oauth 2 (OAuth 2 Authentication | Adobe Developer Connection ) to limit the scope of what users can do with your project.

Urs_Boller · 9/1/17

there are a lot of tools which use the API credentials "out of the box" (observepoint, alarmdack/slack, ...).

OAuth2 is only an option, if the external provider offers the service. since API is more common and used a lot i hope forna better permission management....

Adobe Analytics

API permission with read-only

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe