Can we please arrange a design review for this. We discussed an Application concept in IS and we need to see how all these integrate together..
Thanks & regards, -Prabath On Fri, Jul 26, 2013 at 3:34 PM, Vijayaratha Vijayasingam <[email protected]>wrote: > Hi all; > > *Our requirement* > Currently we restrict the API for a particular user role. This is done by > setting resource permissions at registry level . So, when user logged in to > the API Store, based on his role that API will be visible to him. But , > with the available feature ,we cannot restrict the API resources or HTTP > verbs for a role. > > The requirement is, depending on the user's role we need to control API > resources/HTTP verbs, when the API is available for a particular subscriber. > eg: > > 1 )We publish an API called UserAPI with context /user/customers/v1. > UserAPI contains other APIs (resources) under it; for example /alert and > /register. As external developers are subscribing at /user/customers/v1 > level , they get all the "resources" under this context. However at runtime > user may want only some subscribers to be able to call /register resource; > based on subscriber's role. (Resourse level access) > > 2) HTTP verb level access, for a single resource, some users need to > access only browse(GET) permission, others want write(PUT) permission. > > * > ways to achieve * > > 1) We could use XACML policy based on the role. > 2) defining an oauth scope for resource/verbs level. > > In the 2nd method, we may have different access tokens for a single API. > We , by default have 'production','sandbox' scopes for tokens. If we define > more scopes, we might need more access tokens to be issued for an API, and > allowing active tokens at a given time has to be considered. And also > throttling will be a major consideration. > > How should we approach the above requirement? > > Thoughts are welcome.. > > Thanks > -- > -Ratha > mobile: (+94)755906608 > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
