Expand my Community achievements bar.

SOLVED

Limit API Access to an account

Avatar

Level 2
Level 2
1/12/20 11:16:56 PM

Hello

 

I was wondering if there is a possibility to limit account's access rights in a way that would allow only reading ONE particular schema and nothing else. Either SOAP API or jssp is fine.

Additionally, is it possible to track exactly how often and how much data the user is obtaining with the API calls?

 

Kind regards

 

 

Views

14.6K

Replies

13
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
1/14/20 9:09:32 AM

Hi,

 

Assuming 'nothing else' refers to user-defined schemas, add sysFilters per this guide:

NB all users of Campaign share the same underlying db user, so this is mostly cosmetic.

API traffic can be monitored in web server logs with custom scripts or off-the-shelf software such as ELK, Splunk.

 

Thanks,

-Jon

View solution in original post

Views

5.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
13 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
1/14/20 9:09:32 AM

Hi,

 

Assuming 'nothing else' refers to user-defined schemas, add sysFilters per this guide:

NB all users of Campaign share the same underlying db user, so this is mostly cosmetic.

API traffic can be monitored in web server logs with custom scripts or off-the-shelf software such as ELK, Splunk.

 

Thanks,

-Jon

Views

5.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
1/14/20 11:10:56 PM

@Jonathon_wodnicki 

Thanks, I'll check that out.

 

As for the "nothing else", I would also like to limit one's ability to use factory schemas like xtk:session's methods, because if the user has access to those, he'd be able to do Write, so essentially insert/delete as well.

 

Also, what do you mean by cosmetic and what does the documentation mean by "This restriction applies only to non technical users: a technical user, with related permissions, or using a workflow, will be able to retrieve and update data."? That this can be easily bypassed if a user really wants to?

 

Kind regards, Szymon

Views

5.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/17/20 2:25:33 AM

Hi Szymon,

In your use case, you should not allow any user to login to Adobe campaign as Jon mentioned there are couple of security concerns when you allow a user to login to your marketing database even via API.  

The recommended way will create a middleware API(for this particular microservice) endpoint which should act as a bridge to your system from the outside world. Cheapest way will be to use Amazon lamda based function where you can easily measure the data usage and at the same time restrict them to a certain function from, Adobe campaign.

 

The data flow would be :

 

Third-party system: Read data API(AWS): authenticate the request: Get the data from Adobe campaign.

Third-party system: Update data API(AWS): authenticate the request: update the data in Adobe campaign.

https://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example.html

https://docs.aws.amazon.com/lambda/latest/dg//monitoring-functions-access-metrics.html

https://docs.aws.amazon.com/lambda/latest/dg//monitoring-functions-metrics.html

 

Regards,

Amit

Views

6.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/17/20 2:28:52 AM

Thanks Amit for your thoughts. 

My idea was to create JSSP pages and instead of SOAP Calls allowing POST requests through HTTP, then I believe it would be possible to build some kind of basic tracking on that JSSP, wouldnt it?

Views

12.8K

Replies

9
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/17/20 2:33:44 AM
In response to szymons55769873
There is a problem as soon as you give the access to JSSP page, they will automatically get access to SOAP. then the only way you can achieve this is by hard coding the access in JSSP for the user using logonEscalation method or something similar.

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/17/20 2:36:22 AM
In response to szymons55769873
if you still wants that method then you have to create another schema for monitoring if you want ACC to handle everything in-house. every time there is an invocation to this JSSP page you can create a row there. and log the bytes requested as response and session info.

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/17/20 2:36:22 AM
In response to szymons55769873
Amit, I tested a scenario when the IP I whitelisted wasn't given API access rights and I was still able to obtain data from JSSP. A problem only would arise if the user was using an IP that has to have the API enabled.

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/17/20 2:43:55 AM
In response to szymons55769873
yeah because JSSP sits on web server so anyone can access it as it's in public domain. if you want it like that then sure it will solve your purpose.

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/17/20 2:59:53 AM
In response to szymons55769873
Thanks, Amit, would you know how exactly does the "Restriction by folder" option in the account settings in client work? It doesn't seem to work for API which is unfortunate

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/17/20 3:10:03 AM
In response to szymons55769873
yeah, it's a shame. The Restrict to information found in sub-folders of: option lets you limit the rights attributed to the operator of a folder. Only the subfolders of the node specified in this option will be visible to the user in console. so it will not work for JSSP page.

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/20/20 4:05:58 AM
In response to szymons55769873
Amit, do you know if JS server pages have any limitations as such, or is in theory possible to read/write the exact same range of schemas and use all methods that SOAP Call allows?

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/20/20 5:57:06 AM
In response to szymons55769873
Except for the public domain access security issues, everything else is there. In terms of functionality, you can achieve everything.

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
1/20/20 6:29:52 AM
In response to szymons55769873
But to access the page if logon is required you still need to have your IP whitelisted, which would address most of the vulnerabilities, wouldn't it?

Views

12.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
how to add sysfilters or filters in schema with conditions in adobe campaign classic Solved

Views

168

Likes

0

Replies

1
Stuck with how to do Join of schemas with condition in adobe campaign classic Solved

Views

154

Likes

0

Replies

1
JSON API Calls to Message Center in Campaign v8

Views

111

Likes

0

Replies

2
Need to add filters at Schema level in Schema Edit Tab in Adobe Campaign Classic

Views

136

Likes

0

Replies

1
How to add calculated filed in schema to add join in schemas with conditions

Views

220

Likes

0

Replies

3