Hi all; *Our requirement* Currently we restrict the API for a particular user role. This is done by setting resource permissions at registry level . So, when user logged in to the API Store, based on his role that API will be visible to him. But , with the available feature ,we cannot restrict the API resources or HTTP verbs for a role.
The requirement is, depending on the user's role we need to control API resources/HTTP verbs, when the API is available for a particular subscriber. eg: 1 )We publish an API called UserAPI with context /user/customers/v1. UserAPI contains other APIs (resources) under it; for example /alert and /register. As external developers are subscribing at /user/customers/v1 level , they get all the "resources" under this context. However at runtime user may want only some subscribers to be able to call /register resource; based on subscriber's role. (Resourse level access) 2) HTTP verb level access, for a single resource, some users need to access only browse(GET) permission, others want write(PUT) permission. * ways to achieve * 1) We could use XACML policy based on the role. 2) defining an oauth scope for resource/verbs level. In the 2nd method, we may have different access tokens for a single API. We , by default have 'production','sandbox' scopes for tokens. If we define more scopes, we might need more access tokens to be issued for an API, and allowing active tokens at a given time has to be considered. And also throttling will be a major consideration. How should we approach the above requirement? Thoughts are welcome.. Thanks -- -Ratha mobile: (+94)755906608
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
