API permission with read-only

ursboller

MVP

13-08-2017

by default, every user group with "web service access" has full admin rights on the selected report suites. there is no way to reduce the permissions to "read-only" on report suite settings.

improvement:

the "web service access" should only trigger, if a user group is allowed to use the API credentials. the single permissions to read/edit/delete anything within report suites should be based on other permissions (eg. the existing options for user management)

12 Comments (12 New)
12 Comments

Gigazelle

Employee

14-08-2017

When editing permission groups, there are two checkboxes within Analytics Tools:

Permissions (Read) - Web Services

Permissions (Write) - Web Services

These should be exactly what you're looking for.

ursboller

MVP

14-08-2017

Gigazelle​ i set up a new user group and did NOT check any of those two boxes - only the "web service access". the user in this group was able to change RS Settings!

ursboller

MVP

29-08-2017

hi Gigazelle

i made some testing together with adobe consultant.

1) set up new user group with only "web service access" and access to 1 report suite - no other rights!

2) added a user to this group (user has no other rights than access to user group from 1)

3) try to add a new prop => successful:

1288201_pastedImage_2.png

4) check in RS-Settings => new prop available:

1288298_pastedImage_3.png

5) try to disable the new created prop (same request as above, but "enabled" = "false" => successful. Check in RS settings:

1288299_pastedImage_4.png

ursboller

MVP

29-08-2017

test as above with new user group and the following group rights

a) "web service access"

b) "Permission (Read) - Web Services"

1) Try to add a new prop => successful!

1288300_pastedImage_0.png

1288301_pastedImage_1.png

2) "disable" new created prop => successful:

1288302_pastedImage_2.png

ursboller

MVP

29-08-2017

next test: only access with right "Permission (Read) - Web Service"

1) try to add new prop => not successful!

1288307_pastedImage_2.png

ok, that is great!

2) try to create a report over API - no permissions:

1288308_pastedImage_3.png

ursboller

MVP

29-08-2017

which permissions do i have to set if i want to allow a user to access report data over API but he shouldn't be allowed to change anything at the report suite settings?

andrew_r-GrfLbX

30-08-2017

This seems like a very gaping and worrying hole in the security of the API I can’t believe that it’s possible for any user to modify admin settings via web services API. May need to cancel an entire project based around the API now...

ChrisS_ws

Employee

30-08-2017

'Permissions (Read) - Web Services' and 'Permissions (Write) - Web Services' actually refer to the ability to run certain API requests. For example, if you were to run Permissions.SaveGroup (SaveGroup | Adobe Developer Connection ), you would need 'Permissions (Write) - Web Services'. To run something like Permissions.GetGroup (GetGroup | Adobe Developer Connection ), you would only need 'Permissions (Read) - Web Services'.

Both of these permissions added to groups are only applicable to the Permissions.* API methods.

ChrisS_ws

Employee

30-08-2017

Access to the API is limited to users in a group that contains the 'web service access' permission. Also, depending on the type of project you are doing, you can use Oauth 2 (OAuth 2 Authentication | Adobe Developer Connection ) to limit the scope of what users can do with your project.

ursboller

MVP

01-09-2017

there are a lot of tools which use the API credentials "out of the box" (observepoint, alarmdack/slack, ...).

OAuth2 is only an option, if the external provider offers the service. since API is more common and used a lot i hope forna better permission management....