You can control data access down to the row and column-instance level by configuring security in API Creator.
You can secure access to your API using:
In this article:
Watch the Video
CA Live API CreatorSecurity video describes the concepts and operation for declarative security:
- Admin versus application security.
- Authentication providers. The built-in authentication provider and defining custom authentication providers.
- Roles. Access and table permissions for row/column security.
- Globals. Per/user parameterization for row filter.
Security operates at the following levels in
CA Live API Creator:
- Admin security.Admin security is what controls access toCA Live API Creatorto define APIs, databases, security, and logic. It is authentication with "root privilege" toCA Live API Creator(for example, admin account). Admin security controls who can access API Creator and, therefore, who can update admin data. Administrator users can alter logic, can define security, and can access Data Explorer in Author Mode.
- Application security.Application security defines who can access the API (the data, such as by API Creator) and what the user is authorized to do. Application security operates by way of role-based endpoint access.For more information:
API Creator provides options for https-based communications.
The following image shows the security workflow:
The following workflow provides an overview of security:
- Owners/administrators define role permissions and custom authentication providers in API Creator. API Creator stores the authentication providers in the admin database.
- Applications obtain an authentication token by posting credentials to the@authenticationendpoint. An auth token typically represents an authorized user and defines the set of roles to which the user is authorized.For more information about the roles assigned to the auth token, see Authorization.
- API Server invokes the custom authentication provider. Your custom authentication provider is passed the credentials, such as the name and password, and obtains of set of authorized roles by looking it up in your available and configured identity provider, such as Lightweight Directory Access Protocol (LDAP), Active Directory (AD), or OAuth.
- API Server creates an auth token containing the roles and globals and stores these in the admin database. The auth token is available to all API Server nodes in a cluster.
- The auth token ID is returned to the client, who passes it in the header of subsequent requests; the API Server uses it to enforce role permissions.
Your authentication provider provides service connectivity. For further control, you can deploy services within a private cloud using API Creator.
Cross Origin Resource Sharing (CORS)
For more information about CORS, see the CORS wiki page.
Database Connection Security
API Creator requires access to your database.
CA Live API Creatoruses industry standards to protect your information with encryption and salting. The following are the common database-location scenarios:
- Cloud database.It is a common practice to deploy databases in the cloud, for automated maintenance and administration. To minimize latency, select an API Creator service on the same cloud provider and region as your database. If your organization requires advanced security, provide API Server in your private cloud.
- On-premises database.Where services are required for a database already deployed behind your firewall, contact your network administrator to authorize access by API Creator. The
If your organization has rigid security requirements, configure an on-premises API Server. This generally does not include elastic support to dynamically add servers.