Search Tips
Overview
NOTE: This feature was released in Patch 19.
The API Security screen is used to manage API role security. It allows users to define and control CMiC endpoints used by a service account at the system level. A process train is conveniently located at the top of the screen to help guide you through the steps. Clicking on a node in the process train will launch the associated security screen. To learn more about the process involved in setting up your API security, refer to Setting Up API Security.
Note API role security follows the user role security paradigm. If roles are created and endpoints assigned, then any service account that does not belong to a role will not have access to any endpoints/methods. Just the same, if no roles are defined, then all users will have access to CMiC endpoints and no restrictions will be enforced.
API Security Layers Explained
Understanding the API authentication and authorization flow in CMiC can be thought of as comprising the following three layers:
1. Authentication Layer
Basic Auth or OAuth is where the user identifies themselves via an IDP (Identity Provider), such as Azure or Google. It verifies the user’s identity before granting access to any API.
2. API Security Layer
This new layer created by CMiC is an additional layer that offers admins greater control and enhanced security on top of the API/DB code implemented by the application team. This layer allows admins to restrict user access on specific endpoints or APIs.
Example: Restricting the GET method on the pyemployee endpoint while allowing POST methods.
3. Application Security Layer
The Business Logic Layer is security implemented by CMiC application developers within the application itself.
Example: Job Security Groups, which manage access based on the user’s job role within the system.
API Program Security Bypass
Pgm: SDAPISECBYPAS – API Program Security Bypass; standard Treeview path: System > Security > API Security - API Program Security Bypass
The API Program Security Bypass screen allows admins to select which API endpoint programs they want to bypass any additional API security layers offered by CMiC. Programs listed here will only be subjected to the authentication layer and application security layer. In other words, bypassed programs will not be subject to API-specific security features implemented by CMiC but will still be secured by authorization and application-level security.
Define API Roles
Pgm: SDAPIROLE – API Roles; standard Treeview path: System > Security > API Security - Define API Roles
This screen is used to create API security roles.
API Role Code, API Role Name
Enter a code and name for the API security role being defined.
System Defined
System Defined roles cannot be updated, inserted, or deleted by users. It is a view only record and can be added via scripts as metadata.
Assign API to Role
Pgm: SDAPITOROLE – Assign API to Role; standard Treeview path: System > Security > API Security - Assign API to Role
This screen is used to assign API security role(s) access to selected API endpoints (e.g. service accounts) within an application.
Selection Criteria
Role
Select the security role from the Role LOV to apply the API application(s) and the required API endpoint(s) registered to the selected application.
API End Points
The API End Points section will display all the API endpoints registered to the selected application. Scroll down the list to select the required endpoint. For a system defined role, users cannot update, insert, or delete the records. They will be view-only fields.
Application
Enter or select the API application from the LOV.
Endpoint
Enter or select the API endpoint from the LOV.
API Description
Enter a description for the API application and endpoint.
Insert
Indicates if the endpoint has insert access.
Update
Indicates if the endpoint has update access.
Delete
Indicates if the endpoint has delete access.
Query
Indicates if the endpoint has query access.
Assign Users to Roles
Pgm: SDAPIROLEUSER – Assign Users to Roles; standard Treeview path: System > Security > API Security - Assign Users to Roles
This screen is used to assign users to selected API security roles if your API/Mobile server has been set up to work with Basic Authentication.
Roles
This section lists the API security roles available. Scroll down the list to select the required security role. The fields in this section are display-only.
Users
This section displays the users assigned to the selected API security role. Use the [Insert] button to insert a new User record. The user indicated here will have the selected API security role assigned.
App Registration
Pgm: SDAPIAPPREG – App Registration; standard Treeview path: System > Security > API Security - App Registration
This screen allows users to register OAuth2 applications from Azure or from other providers if your API/Mobile server has been set up to work with OAuth2. These apps allow users to authenticate when calling our APIs using OAuth2, and CMiC confirms that the values sent in match what has been registered in this screen.
To learn more about using CMiC OAuth2, refer to OAuth2 – CMiC Configuration.
NOTE: Auth2 app registration data will be kept after a clone. Specifically, the data in the App Registration section will be kept, but the data in the Roles section (API security roles assigned to the app registration) will not be kept.
App Registration
This section is used enter applications to be authenticated when calling APIs using OAuth2.
Note Users will not be able to insert, update, or delete a system defined app (the System Defined box is checked) from the UI. It will be view only and will be added via scripts as metadata. The user will be able to assign system defined roles to a user-defined app, and the system will allow assigning roles to system defined apps.
Roles
This section displays the API security roles that have access to the selected app registration. Assigning roles limits the APIs anyone authenticating using the selected app registration has access to. Use the [Insert] button to insert a new Role record.