Authorization

API Server determines what authenticated API calls have permissions to do by looking at the roles assigned to the auth token.
lac32
API Server determines what authenticated API calls have permissions to do by looking at the roles assigned to the auth token. The following sections explain the basic facilities.
For more information:
In this article:
2
Role-Based Access
Role-based access control (RBAC) provides authorization control over what table, view, procedure, resource, and meta table REST endpoints are visible to which roles. You can also control a role's permissions to call specific function-based endpoints, specific entity-based endpoints, and resource-based endpoints.
For more information, see Role-Based Endpoint Access.
Globals
Globals are variables that 
CA Live API Creator
 makes available to each transaction so that they can determine what data the user should have access to.
For more information, see Role-Based Endpoint Access.
Auth Token Globals
In most cases, your authentication provider makes the values of the authentication token available as globals (for example, the 
LoginId
 global), with the exception of the password. In addition, your authentication provider can return a set of global values. For example, scalar values such as UserName and objects such as a database row (for example, retrieved by the 
LoginId
 global).
Built-in Authentication Provider Globals
The 
built-in authentication
 authentication provider provides the 
user_identifier
 variable for the 
_apikey
 system global. For example:
@{_apikey.user_identifier}
For more information about auth tokens, including the 
user_identifier apikeys
 API creation endpoint attribute, see Auth Tokens.
System Globals
API Creator predefines the following globals, sets them for every transaction, and references the predicate:
System Global Name
Value
Example
_apikey
The auth token (
_apikey
) object currently in use.
@{_apikey.project_ident}
_project
The API currently in use.
@{_project.name}
_account
The account currently in use.
@{_account.name}