CMiC API Access Setup - Overview

There are three layers to safeguard CMiC APIs for external usage. This is not a hierarchical layering of security, but rather three layers that are recommended to be used with CMiC APIs to maximize protection.

Application Security Layer

CMiC natively applies business-level security that governs access to applications, programs, and data within the system. This layer determines which authenticated user or service account is permitted to access inside CMiC.

For example, under the User Maintenance screen, administrators can control which users have access to jobs by defining job security groups and assigning jobs to those groups.

API Security Layer

CMiC API Security enforces endpoint-level authorization using role-based access control (RBAC). After an identity is authenticated, this layer determines which API endpoints and methods (Create, Update, Retrieve, Delete) the user or application is allowed to execute.

This layer is especially important when multiple integrations require different levels of access to the same business object.

Authentication Layer

Authentication verifies the identity of the API user or application before access is granted. CMiC supports Basic Authentication or OAuth 2.0 through an external Identity Provider (IdP), such as Azure AD, Okta, or Google.

Authentication verifies identity only. It does not determine what resources or endpoints the identity can access.

For more information on how to enable OAuth with CMiC, see OAuth.