API Guardian Guide

Introduction

This page provides a guide to how the standard API Guardian is configured for Memority, and how to use it.

API Zones

The following API Zones are automatically configured in the deployed API Guardian (builtin properties):

Id	Patterns	Description
CODE `amcp-config`	CODE `/{tenant}/api/v/amcp/conf/*`	Access to AMCP configuration APIs
CODE `amcp-federations`	CODE `/{tenant}/api/v/amcp/federations/*`	Access to AMCP Federation management APIs
CODE `aud-config`	CODE `/{tenant}/api/v/aud/conf/*`	Access to Audit configuration APIs
CODE `aud-audits`	CODE `/{tenant}/api/v/aud/audits/*`	Access to Audit search APIs
CODE `bum-config`	CODE `/{tenant}/api/v/bum/conf/*`	Access to all BUM configuration APIs.
CODE `bum-features`	CODE `/{tenant}/api/v/bum/features/*`	Access to BUM Features APIs.
CODE `bum-workflows`	CODE `/{tenant}/api/v/bum/workflow-user-tasks/* /{tenant}/api/v/bum/workflow-instances/*`	Access to BUM Workflow Instances et User Tasks APIs
CODE `bum-user-mobile`	CODE `/{tenant}/api/v/bum/user/mobile/*`	Access to BUM Application apps to mobile
CODE `i18n-config`	CODE `/{tenant}/api/v/i18n/conf/*`	Access to all I18N configuration APIs.
CODE `idm-config`	CODE `/{tenant}/api/v/idm/conf/*`	Access to all IDM configuration APIs.
CODE `idm-identities`	CODE `/{tenant}/api/v/idm/identities/*`	Access to IDM Identities APIs.
CODE `idm-organizations`	CODE `/{tenant}/api/v/idm/organizations/*`	Access to IDM Organization APIs.
CODE `idm-resources`	CODE `/{tenant}/api/v/idm/resources/*`	Access to IDM Resource APIs.
CODE `idm-roles`	CODE `/{tenant}/api/v/idm/roles/*`	Access to IDM Roles APIs.
CODE `idm-role-publications`	CODE `/{tenant}/api/v/idm/role-publications/*`	Access to IDM Role Publications APIs.
CODE `idm-rights`	CODE `/{tenant}/api/v/idm/rights/*`	Access to IDM Rights APIs.
CODE `ntf-config`	CODE `/{tenant}/api/v/ntf/conf/*`	Access to all NTF configuration APIs.
CODE `rep-config`	CODE `/{tenant}/api/v/rep/conf/*`	Access to all REP configuration APIs.
CODE `rep-collections`	CODE `/{tenant}/api/v/rep/collections/*`	Access to REP Collection APIs.
CODE `sync-config`	CODE `/{tenant}/api/v/sync/conf/*`	Access to all SYNC configuration APIs.
CODE `sync-orchestration-tasks`	CODE `/{tenant}/api/v/sync/orchestration-tasks/*`	Access to SYNC Orchestration Task Instances APIs.
CODE `sync-sync-tasks`	CODE `/{tenant}/api/v/sync/sync-tasks/*`	Access to SYNC Synchronization Task Instances APIs.
CODE `sync-prov-tasks`	CODE `/{tenant}/api/v/sync/prov-tasks/*`	Access to SYNC Provisioning Task Instances APIs.
CODE `sync-export-tasks`	CODE `/{tenant}/api/v/sync/export-tasks/*`	Access to SYNC Export Task Instances APIs.
CODE `tcf-config`	CODE `/{tenant}/api/v/tcf/conf/*`	Access to all TCF configuration APIs

These API zones definitions might evolve, the changes will be reported in this page.

API Access Right

The right used to provide access to API Zones is:

sys.api-zone-access

This is a RESOURCE scope right where targets are the API Zone identifiers as declared in the table above.

The sys.api-zone-access only gives access to the API Zone at the level of the API Guardian service. The user still needs to have discrete rights to access the APIs on the targeted internal service.

For example, to have access to the configuration of Attribute Definitions on the IDM API, one would need the following rights:

Right	Target	Why?
CODE `sys.idm-schema-crud`		User needs to have the right to perform configuration operations on Attribute Definitions, on the IDM
CODE `sys.api-zone-access`	CODE `idm-config`	User needs to have the right to the `idm-config` API Zone, that includes schema configuration on the IDM, for the API Guardian service to grant access.

The user should have right sys.ctd-super-admin to perform actions

OAuth2 Authentication

The API Guardian supports client authentication using an OAuth2 Access Token.