Expand my Community achievements bar.

SOLVED

User permissions for firefly

Avatar

Community Advisor
Community Advisor
5/27/20 3:46:38 PM

is there any option to set permissions per user of an org? as far as I understand everybody can use the apps as soon as the user has access to the API's used in the project.

but the modt use cases I have in mind need an admin (for settings) and users without any API access.

what are other solutions? write 2 apps which share data? one for "read/interact" and the other for "API interactions"?

what I would love to have is an option to rely on new/existing product profiles or user groups from the admin console...

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

App Builder

Views

8.6K

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
5/27/20 4:01:22 PM

Hi @Urs_Boller 

Currently, access is granted based on the user's existing product access. A user needs to have access to all the products used by the app to access it. Let's say the app uses Analytics and Campaign, a user needs to have access to both to be able to use the app.

We'd love to be able to offer more flexible and customizable access control -- but that's definitely more on the future-looking side for us at the moment. 

I'd suggest being on the more cautious side exploring workarounds at the moment because the forced access control is put in place so that enterprise users would not have access to data that they are not provisioned with.

To learn more about security...

View solution in original post

Views

7.9K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
7 Replies

Avatar

Correct answer by
Employee
Employee
5/27/20 4:01:22 PM

Hi @Urs_Boller 

Currently, access is granted based on the user's existing product access. A user needs to have access to all the products used by the app to access it. Let's say the app uses Analytics and Campaign, a user needs to have access to both to be able to use the app.

We'd love to be able to offer more flexible and customizable access control -- but that's definitely more on the future-looking side for us at the moment. 

I'd suggest being on the more cautious side exploring workarounds at the moment because the forced access control is put in place so that enterprise users would not have access to data that they are not provisioned with.

To learn more about security...

Views

7.9K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
5/27/20 9:44:07 PM
In response to sarahxxu
how is "access to data" defined regarding analytics? is it "access to the API"? because a single user can have access to just part of the analytics data (by report suite setting)...

Views

7.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
5/28/20 6:15:23 AM
In response to sarahxxu
We check whether the user has product context in their user profile. On finer control, Analytics is interesting example! Unlike other APIs, Analytics 2.0 allows 2 types of integration, OAuth and Service Account. OAuth allows the developer to leverage user's individual user access while Service Account grants access to all data. When an action is invoked, by default, an access token is always required to authorize and to authenticate your action. This access token is also use for any API calls inside your action! So in the case of Analytics, if you set up an OAuth integration, using the user access token ensures that user can ONLY see data they currently have access to based on prior access control rules (put in through Admin Console or AA).

Views

7.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/28/20 6:57:15 AM
In response to sarahxxu
awesome! thanks for all the details. does it mean a user can access the app without restrictions, as long as there is no specific action used (where the user maybe doesn't have permission)?

Views

7.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
5/28/20 7:06:17 AM
In response to sarahxxu
Not exactly -- every action, even the generic one just printing out text, built with firefly (by default) has a flag `require-adobe-auth:` enabled to true. this means the action WILL expect an access token when it's invoked. this access token is used by our validator to check whether this user / service should have access to this action. (see docs for more detail). There are two gated layers -- the first one is this. The second one is we recommend only using the access token passed in to make api calls, this ensures secure data access.

Views

7.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/28/20 7:31:58 AM
In response to sarahxxu
ok, everything makes mire sense now. thanks a lot for your replies!

Views

7.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
5/27/20 4:01:24 PM

Hello there,

 

We have on our roadmap to add support for user access control in the Admin Console. Until then, we only support out of the box the use case where the user has access to the data in the first place.

 

cheers,

Mihai

Views

5.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Need help for writing unit test case for exceltojson servlet Solved

Views

117

Likes

0

Replies

2
Sandbox URL for work front to test api(MN) Solved

Views

141

Likes

0

Replies

2
Adobe Sign permission error when trying to add API to a project.

Views

98

Likes

0

Replies

1
where should I go to obtain Adobe Analytics API's permission?

Views

110

Likes

0

Replies

2
Unable to submit support ticket through Experience League - extension has been in Manual QA for OVER A MONTH

Views

137

Likes

0

Replies

6