API permission with read-only | Community
Skip to main content
Urs_Boller
Urs_Boller
New Participant
August 13, 2017
New

API permission with read-only

  • August 13, 2017
  • 14 replies
  • 15585 views

by default, every user group with "web service access" has full admin rights on the selected report suites. there is no way to reduce the permissions to "read-only" on report suite settings.

improvement:

the "web service access" should only trigger, if a user group is allowed to use the API credentials. the single permissions to read/edit/delete anything within report suites should be based on other permissions (eg. the existing options for user management)

    14 replies

    L
    lakshays
    Community Manager
    October 5, 2022
    No text available
    jantzen_b
    jantzen_b
    Employee
    October 27, 2020
    No text available
    Urs_Boller
    Urs_BollerAuthor
    New Participant
    July 26, 2019

    jen.lasser​ given the fact the most tools will change to API 2.0 and there is a much better permission management, I agree to close the idea.

    I haven't tested the new API, but would expect to work as desired (eg. by giving only access to a VRS basically equals a read-only access, there should be no way to modify the underlying RS).

    J
    JenLa5
    Employee
    July 26, 2019

    @ursboller Wondering if we can close this now that we are in a new world with Adobe I/O, 2.0 Analytics API, and different Experience Cloud user permissions (system admin vs developer role). Please let me know!

    Urs_Boller
    Urs_BollerAuthor
    New Participant
    September 1, 2017

    there are a lot of tools which use the API credentials "out of the box" (observepoint, alarmdack/slack, ...).

    OAuth2 is only an option, if the external provider offers the service. since API is more common and used a lot i hope forna better permission management....

    C
    ChrisSaxey
    Employee
    August 30, 2017

    Access to the API is limited to users in a group that contains the 'web service access' permission. Also, depending on the type of project you are doing, you can use Oauth 2 (OAuth 2 Authentication | Adobe Developer Connection ) to limit the scope of what users can do with your project.

    C
    ChrisSaxey
    Employee
    August 30, 2017

    'Permissions (Read) - Web Services' and 'Permissions (Write) - Web Services' actually refer to the ability to run certain API requests. For example, if you were to run Permissions.SaveGroup (SaveGroup | Adobe Developer Connection ), you would need 'Permissions (Write) - Web Services'. To run something like Permissions.GetGroup (GetGroup | Adobe Developer Connection ), you would only need 'Permissions (Read) - Web Services'.

    Both of these permissions added to groups are only applicable to the Permissions.* API methods.

    andrew_r-GrfLbX
    andrew_r-GrfLbX
    New Participant
    August 30, 2017

    This seems like a very gaping and worrying hole in the security of the API I can’t believe that it’s possible for any user to modify admin settings via web services API. May need to cancel an entire project based around the API now...

    Urs_Boller
    Urs_BollerAuthor
    New Participant
    August 29, 2017

    which permissions do i have to set if i want to allow a user to access report data over API but he shouldn't be allowed to change anything at the report suite settings?

    Urs_Boller
    Urs_BollerAuthor
    New Participant
    August 29, 2017

    next test: only access with right "Permission (Read) - Web Service"

    1) try to add new prop => not successful!

    ok, that is great!

    2) try to create a report over API - no permissions:

    Show more replies
    Terms & ConditionsAccessibility statement

    Loading footer...