With API 3.11.0 is possible restrict access to any endpoint.
Adding inside the system a new Endpoint object it will be necessary for the users, in order to get access to the endpoint, to be part of one SecurityRole that has a SecurityPermission connected with the Endpoint.
The endpoint access control is done also against the objects requested using the fields JSON in the HTTP Header. So for instance if the endpoint Vessel.GET is present and the user does not belong to a SecurityRole that has a SecurityPermission for the Vessel.GET endpoint, requesting the Voyage resource specifying the following JSON in the fields parameter:
{
"vessel":{
"vesselName":"*",
"auxEngine":"*"
}
}
will not get unauthorized (HTTP 401), but if the same user requests with the following JSON:
{
"vessel":{
"vesselName":"*"
}
}
will get access because vesselName attribute is part of the minimal view of Vessel resource.
The same access control is performed when a WebhookSubscription is requested. If the user tries to subscribe for an object that has an Endpoint in the system, the subscription will be created only if the user can access to the Endpoint, otherwise Bad request (HTTP 400) exception will be thrown.
To create a new Endpoint it has to be used the endpoint /ws/rest/Endpoint posting a JSON like this:
{
"resourceName": "Vessel",
"path": ".",
"httpMethodType": "GET"
}
To create a new SecurityPermission it has to be used the endpoint /ws/rest/SecurityPermission posting a JSON like this:
{
"endpoint": 335928937,
"permissionName": "Bank.GET",
"permissionType": 335343886
}
To create a new SecurityRole it has to be used the endpoint /ws/rest/SecurityRole posting a JSON like this:
{
"roleName":"testRole"
}
To ad a SecurityPermission to a SecurityRole it has to be used the endpoint /ws/rest/SecurityRole putting a JSON like this:
{
"securityPermissions": [
{
"key":335928939
}
]
}
To ad a SecurityRole to a User it has to be used the endpoint /ws/rest/User putting a JSON like this:
{
"securityRoles": [
{
"key":335927922
}
]
}