Security

Security
calac41
You can control data access down to the row and column-instance level by configuring security in API Creator.
You can secure access to your API using:
  • Authentication. 
    Admin security, that is, which API users have access 
    CA Live API Creator
     to define APIs, databases, security, and logic. API users are consumers of API endpoints in API Creator.
    For more information about authentication, see Authentication.
  • Authorization. 
     Application security, that is, what authenticated API users have the permissions to do, such as access to resource endpoints, row/column security, and API definition.
  • For more information about authorization, see Authorization.
In this article:
 
 
2
 
 
Watch the Video
The following 
CA Live API Creator
 Security video describes the concepts and operation for declarative security:
  • Admin versus application security
    .
  • Authentication providers
    . The 
    built-in authentication
     authentication provider and defining custom authentication providers.
  • Roles
    . Access and table permissions for row/column security.
  • Globals
    . Per-user parameterization for row filter.
Security Levels
Security operates at the following levels in 
CA Live API Creator
:
  • Admin security.
    Admin security is what controls access to 
    CA Live API Creator
     to define APIs, databases, security, and logic. It is authentication with "root privilege" to 
    CA Live API Creator
     (for example, the 
    admin
     user). Admin security controls who can access API Creator and, therefore, who can update data in the admin database. Administrator users can alter logic, can define security, and can access Data Explorer in Author Mode.
  • Application security. 
    Application security defines who can access the API (the data, such as by API Creator) and what the API user is authorized to do. Application security operates by way of role-based endpoint access.
Communications Security
API Creator provides options for https-based communications.
Security Workflow
The following image shows the security workflow:
  CA Technologies  
The following workflow provides an overview of security:
  1. API owners/administrators define role permissions and custom authentication providers in API Creator. API Server stores the authentication providers in the admin database.
  2. Applications obtain an authentication token by posting credentials to the 
    @authentication
     resource endpoint. An auth token typically represents an authorized user and defines the set of roles to which the user is authorized.
    For more information about the roles assigned to the auth token, see Authorization.
  3. API Server invokes the custom authentication provider. API Server passes the credentials to the custom authentication provider, such as the name and password. The custom authentication provider obtains of set of authorized roles by looking it up in your corporate security system, such as StormPath, Lightweight Directory Access Protocol (LDAP), Active Directory (AD), OAuth, a SQL database, or any other 3rd party authentication mechanism.
  4. API Server creates an auth token containing the roles and globals and stores these in the admin database. This auth token is available to all API Server nodes in a cluster.
  5. API Server returns the auth token ID to the client, who passes it in the header of subsequent requests; the API Server uses it to enforce role permissions.
Service Connectivity
Your authentication provider provides service connectivity. For further control, you can deploy services within a private cloud using API Creator.
For more information about how to install 
CA Live API Creator
 to run as a cloud-based service, see Installing and Upgrading.
Cross Origin Resource Sharing (CORS) Enforces Unauthorized Access
To prevent a malicious site from accessing servers open on other tabs (for example, your bank), JavaScript code can access only the site from which it was loaded, unless specifically authorized. The Cross-Origin Resource Sharing (CORS) mechanism enforces this restriction. You can protect your data from unauthorized access by creating an HTTP Options event handler for your API.
For more information:
Database Connection Security
API Creator requires access to your database. 
CA Live API Creator
 uses industry standards to protect your information with encryption and salting. The following are the common database-location scenarios:
  • Cloud database. 
    It is a common practice to deploy databases in the cloud, for automated maintenance and administration. To minimize latency, select a 
    CA Live API Creator
     service on the same cloud provider and region as your database. If your organization requires advanced security, provide API Server in your private cloud.
  • On-premises database.
     Where services are required for a database already deployed behind your firewall, contact your network administrator to authorize 
    CA Live API Creator
     access to your database. The
     
    basic approach is to open a port in your firewall for your database. For on-premise databases, the public cloud IP address of your API Server is required.
If your organization has rigid security requirements, configure an on-premises API Server. This generally does not include elastic support to dynamically add servers.