Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Restrict user read permissions for API 2.0

Avatar

Avatar
Shape 1
Level 3
dominikm7139145
Level 3

Likes

31 likes

Total Posts

4 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 5
Boost 3
Boost 25
Boost 10
View profile

Avatar
Shape 1
Level 3
dominikm7139145
Level 3

Likes

31 likes

Total Posts

4 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 5
Boost 3
Boost 25
Boost 10
View profile
dominikm7139145
Level 3

11-06-2019

I noticed a major privacy problem with API 2.0 while testing out the possibilities of restricted permissions for normal users:

Using the command https://analytics.adobe.io/api/[mycompany]/users?limit=[XX] a normal user can get a list of all users in a given organization. This may pose a privacy issue as a normal user should not be able to see the usernames, admin status, email, first & last name, phone number, and title. Those are highly personalized information on any given user. Usually, I would think that only admins can get access to this information. Even though a "normal" user has no writing rights to manage, change or create users this is still a problem.

Client Care says that the function is working as intended but this feature should not be an intended function for API 2.0. Please change this so that only admins can use this function and normal users only get information on their own account with https://analytics.adobe.io/api/[mycompany]/users/me.

10 Comments

Avatar

Avatar
Coach
MVP
ursboller
MVP

Likes

522 likes

Total Posts

1,020 posts

Correct Reply

256 solutions
Top badges earned
Coach
Contributor
Bedrock
Seeker
Springboard
View profile

Avatar
Coach
MVP
ursboller
MVP

Likes

522 likes

Total Posts

1,020 posts

Correct Reply

256 solutions
Top badges earned
Coach
Contributor
Bedrock
Seeker
Springboard
View profile
ursboller
MVP

11-06-2019

can't believe that we need to make an idea on this! it definitely should not work like that, a restriction for "normal users" is highly needed!

thanks for posting the idea...

Avatar

Avatar
Boost 5
Employee
Brian_Kent_Watson
Employee

Likes

18 likes

Total Posts

44 posts

Correct Reply

13 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Affirm 5
View profile

Avatar
Boost 5
Employee
Brian_Kent_Watson
Employee

Likes

18 likes

Total Posts

44 posts

Correct Reply

13 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Affirm 5
View profile
Brian_Kent_Watson
Employee

11-06-2019

Note that non-admin users can see all users in the company, including First Name, Last name, and Email address, when they take actions in the UI such as sharing segments and Workspace projects, adding recipients to alerts and scheduled reports, etc.

The three elements of admin status, title, and phone haven't been previously exposed in the UI so that is additional information that was added for API 2.0. We can consider making a change such that only admins can pull the lists of users via API but the expectation that a normal user should never see information about another user simply doesn't match the historical behavior of the product.

Avatar

Avatar
Coach
MVP
ursboller
MVP

Likes

522 likes

Total Posts

1,020 posts

Correct Reply

256 solutions
Top badges earned
Coach
Contributor
Bedrock
Seeker
Springboard
View profile

Avatar
Coach
MVP
ursboller
MVP

Likes

522 likes

Total Posts

1,020 posts

Correct Reply

256 solutions
Top badges earned
Coach
Contributor
Bedrock
Seeker
Springboard
View profile
ursboller
MVP

11-06-2019

would it be an option to restrict access to the same user group by permission? eg. add a new permission setting to only allow "user lookup" of own "user groups"? this way we could create a new user group for external agencies and those persons have only access to names/users within that group.

Avatar

Avatar
Boost 5
Employee
Brian_Kent_Watson
Employee

Likes

18 likes

Total Posts

44 posts

Correct Reply

13 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Affirm 5
View profile

Avatar
Boost 5
Employee
Brian_Kent_Watson
Employee

Likes

18 likes

Total Posts

44 posts

Correct Reply

13 solutions
Top badges earned
Boost 5
Boost 3
Boost 10
Boost 1
Affirm 5
View profile
Brian_Kent_Watson
Employee

11-06-2019

That's a possibility. We'll need to consider how such a change would impact functionality in the UI such as sharing and schedule recipients, etc. Because Analysis Workspace is built on the 2.0 API set we generally want to keep behaviors in the API consistent with behaviors in the UI.

i appreciate the feedback in this thread.

Avatar

Avatar
Shape 1
Level 3
dominikm7139145
Level 3

Likes

31 likes

Total Posts

4 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 5
Boost 3
Boost 25
Boost 10
View profile

Avatar
Shape 1
Level 3
dominikm7139145
Level 3

Likes

31 likes

Total Posts

4 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 5
Boost 3
Boost 25
Boost 10
View profile
dominikm7139145
Level 3

12-06-2019

Wouldn't it be easier then to change the permissions for normal users so that they can only see First and Last Name (both in UI and API)? Also, I haven't seen any E-Mail information in the UI when sharing segments, workspaces, metrics, etc. I can add someone by specifically writing out that person's address but usually I only see First and Last Name in the sharing menu.

Avatar

Avatar
Seeker
Level 5
David-123
Level 5

Likes

114 likes

Total Posts

132 posts

Correct Reply

18 solutions
Top badges earned
Seeker
Bedrock
Engage 1
Springboard
Establish
View profile

Avatar
Seeker
Level 5
David-123
Level 5

Likes

114 likes

Total Posts

132 posts

Correct Reply

18 solutions
Top badges earned
Seeker
Bedrock
Engage 1
Springboard
Establish
View profile
David-123
Level 5

12-06-2019

I can see how this could be an issue in a large enterprise.

Surely a toggle box in the admin section to allow / block API from the user request would solve this?

Avatar

Avatar
Shape 1
Level 3
dominikm7139145
Level 3

Likes

31 likes

Total Posts

4 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 5
Boost 3
Boost 25
Boost 10
View profile

Avatar
Shape 1
Level 3
dominikm7139145
Level 3

Likes

31 likes

Total Posts

4 posts

Correct Reply

0 solutions
Top badges earned
Shape 1
Boost 5
Boost 3
Boost 25
Boost 10
View profile
dominikm7139145
Level 3

12-06-2019

You mean completely block API requests? Our use case is restricted API access for normal users (e.g. for reporting purposes on specifically chosen variables).

But it would also be a great idea if specific API commands could be allowed/blocked for specific users or user groups. This way the admins could choose to block the get user API command.

Avatar

Avatar
Seeker
Level 5
David-123
Level 5

Likes

114 likes

Total Posts

132 posts

Correct Reply

18 solutions
Top badges earned
Seeker
Bedrock
Engage 1
Springboard
Establish
View profile

Avatar
Seeker
Level 5
David-123
Level 5

Likes

114 likes

Total Posts

132 posts

Correct Reply

18 solutions
Top badges earned
Seeker
Bedrock
Engage 1
Springboard
Establish
View profile
David-123
Level 5

12-06-2019

Sorry - yes - there was a typo there - yes block the specific API call for user information.

Avatar

Avatar
Level 1
BrianKjaerskovNielsen
Level 1

Likes

0 likes

Total Posts

1 post

Correct Reply

0 solutions
View profile

Avatar
Level 1
BrianKjaerskovNielsen
Level 1

Likes

0 likes

Total Posts

1 post

Correct Reply

0 solutions
View profile
BrianKjaerskovNielsen
Level 1

25-09-2020

I would like to be able to block access to the /users API when I set up an Integration in https://console.adobe.io/

Avatar

Avatar
Validate 1000
Community Manager
jantzen_belliston-Adobe
Community Manager

Likes

337 likes

Total Posts

2,286 posts

Correct Reply

815 solutions
Top badges earned
Validate 1000
Springboard
Validate 500
Validate 250
Validate 100
View profile

Avatar
Validate 1000
Community Manager
jantzen_belliston-Adobe
Community Manager

Likes

337 likes

Total Posts

2,286 posts

Correct Reply

815 solutions
Top badges earned
Validate 1000
Springboard
Validate 500
Validate 250
Validate 100
View profile
jantzen_belliston-Adobe
Community Manager

27-10-2020

 
Status changed to: Archived