Why is a Custom role user without any permissions able to run Analytics API for the org ?
I have created a custom role called "Inactive account" for my org wherein all the permissions are disabled. I have added a user for this custom role (let's call it as "InactiveUser1"). However, when I run the following analytics API call with this "InactiveUser1", I am getting 200 OK and also get the response payload.
curl -v https://api.enterprise.apigee.com/v1/organizations/adevegowda/environments/test/stats/apiproxy?select=sum%28message_count%29&sort=DESC&sortby=sum%28message_count%29&timeRange=12%2F10%2F2015+11:01:00~12%2F10%2F2015+12:01:00
I was expecting that I should get 401 Unauthorized.
Can you please look into this and let me know if this is expected behaviour or not ?
Best Answer
The Edge UI surfaces a subset of all possible RBAC permissions and lets you set up simplified roles that are intended to be used in the UI. The UI currently does not surface Analytics permissions, so it gives custom roles GET permissions for Analytics calls.
The UI should probably let the user do a raw edit of RBAC permissions, and that feature is under consideration.
In the meantime, you should update the role's permissions with the Management API directly to remove the GET permissions on the Analytics' paths.
See this link.
Thanks for your suggestion, it helped.
As suggested by Charles above, I update the "Inactive account" role's to remove all permissions for Analytics API as shown below using the API at Add/Update Permissions
{
"path": "/environments/test/stats/*",
"permissions": []
}
Post this, if I use the "Inactive account" user then I get the below error as expected
HTTP/1.1 403 Forbidden
If we want to remove the permissions across all the environments for Analytics API, then we can do it as follows:
{
"path": "/environments/*/stats/*",
"permissions": []
}
