Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Limit API Access to an account

Avatar

Avatar
Ignite 1
Level 2
szymons55769873
Level 2

Likes

5 likes

Total Posts

22 posts

Correct Reply

0 solutions
Top badges earned
Ignite 1
Validate 1
Give Back
Boost 5
Boost 3
View profile

Avatar
Ignite 1
Level 2
szymons55769873
Level 2

Likes

5 likes

Total Posts

22 posts

Correct Reply

0 solutions
Top badges earned
Ignite 1
Validate 1
Give Back
Boost 5
Boost 3
View profile
szymons55769873
Level 2

12-01-2020

Hello

 

I was wondering if there is a possibility to limit account's access rights in a way that would allow only reading ONE particular schema and nothing else. Either SOAP API or jssp is fine.

Additionally, is it possible to track exactly how often and how much data the user is obtaining with the API calls?

 

Kind regards

 

 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Contributor
MVP
wodnicki
MVP

Likes

938 likes

Total Posts

1,061 posts

Correct Reply

495 solutions
Top badges earned
Contributor
Shape 1
Give Back 100
Give Back 50
Give Back 25
View profile

Avatar
Contributor
MVP
wodnicki
MVP

Likes

938 likes

Total Posts

1,061 posts

Correct Reply

495 solutions
Top badges earned
Contributor
Shape 1
Give Back 100
Give Back 50
Give Back 25
View profile
wodnicki
MVP

14-01-2020

Hi,

 

Assuming 'nothing else' refers to user-defined schemas, add sysFilters per this guide:

NB all users of Campaign share the same underlying db user, so this is mostly cosmetic.

API traffic can be monitored in web server logs with custom scripts or off-the-shelf software such as ELK, Splunk.

 

Thanks,

-Jon

Answers (3)

Answers (3)

Avatar

Avatar
Ignite 1
Level 2
szymons55769873
Level 2

Likes

5 likes

Total Posts

22 posts

Correct Reply

0 solutions
Top badges earned
Ignite 1
Validate 1
Give Back
Boost 5
Boost 3
View profile

Avatar
Ignite 1
Level 2
szymons55769873
Level 2

Likes

5 likes

Total Posts

22 posts

Correct Reply

0 solutions
Top badges earned
Ignite 1
Validate 1
Give Back
Boost 5
Boost 3
View profile
szymons55769873
Level 2

17-01-2020

Thanks Amit for your thoughts. 

My idea was to create JSSP pages and instead of SOAP Calls allowing POST requests through HTTP, then I believe it would be possible to build some kind of basic tracking on that JSSP, wouldnt it?

Avatar

Avatar
Validate 10
MVP
Amit_Kumar
MVP

Likes

329 likes

Total Posts

649 posts

Correct Reply

231 solutions
Top badges earned
Validate 10
Validate 1
Establish
Give Back 50
Give Back 5
View profile

Avatar
Validate 10
MVP
Amit_Kumar
MVP

Likes

329 likes

Total Posts

649 posts

Correct Reply

231 solutions
Top badges earned
Validate 10
Validate 1
Establish
Give Back 50
Give Back 5
View profile
Amit_Kumar
MVP

17-01-2020

Hi Szymon,

In your use case, you should not allow any user to login to Adobe campaign as Jon mentioned there are couple of security concerns when you allow a user to login to your marketing database even via API.  

The recommended way will create a middleware API(for this particular microservice) endpoint which should act as a bridge to your system from the outside world. Cheapest way will be to use Amazon lamda based function where you can easily measure the data usage and at the same time restrict them to a certain function from, Adobe campaign.

 

The data flow would be :

 

Third-party system: Read data API(AWS): authenticate the request: Get the data from Adobe campaign.

Third-party system: Update data API(AWS): authenticate the request: update the data in Adobe campaign.

https://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example.html

https://docs.aws.amazon.com/lambda/latest/dg//monitoring-functions-access-metrics.html

https://docs.aws.amazon.com/lambda/latest/dg//monitoring-functions-metrics.html

 

Regards,

Amit

Avatar

Avatar
Ignite 1
Level 2
szymons55769873
Level 2

Likes

5 likes

Total Posts

22 posts

Correct Reply

0 solutions
Top badges earned
Ignite 1
Validate 1
Give Back
Boost 5
Boost 3
View profile

Avatar
Ignite 1
Level 2
szymons55769873
Level 2

Likes

5 likes

Total Posts

22 posts

Correct Reply

0 solutions
Top badges earned
Ignite 1
Validate 1
Give Back
Boost 5
Boost 3
View profile
szymons55769873
Level 2

14-01-2020

@wodnicki 

Thanks, I'll check that out.

 

As for the "nothing else", I would also like to limit one's ability to use factory schemas like xtk:session's methods, because if the user has access to those, he'd be able to do Write, so essentially insert/delete as well.

 

Also, what do you mean by cosmetic and what does the documentation mean by "This restriction applies only to non technical users: a technical user, with related permissions, or using a workflow, will be able to retrieve and update data."? That this can be easily bypassed if a user really wants to?

 

Kind regards, Szymon