Is there an RBAC solution to Monetization

Report Inappropriate Content · 08-30-2016 10:03 AM

We have a business need to secure monetization within the OPDK. Since monetizing an API begins with creation a transaction recording policy within the Product definitions, is there anyway to prevent access to this button via the traditional resource path entitlements? Are there other ways to restrict this capability within OPDK 15.07.07

Former Community Member

Hi @deanxcobb I have explained one possible solution that you can try, the UI experience may not be optimal (i.e the user will see an error when they click the edit transaction recording policy button or they may see a greyed out "Save" button on add transaction recording policy page) but I think it may get the work done:

1) Create a custom role with all the permissions you need to set (check boxes from the UI) or use an existing pre-defined role.

2) Execute the following command to get a list of all permissions in that role (note your management endpoint will be different):

curl -X GET --header "Authorization: Basic {base64-encoded-value-of-orgadmin-userid:password}" "https://api.enterprise.apigee.com/v1/organizations/{org-name}/userroles/{role-name}/permissions"

this will get you a response like this:

{
  "resourcePermission" : [ {
    "organization" : "some-org",
    "path" : "/environments/*/virtualhosts/*",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/environments/*/virtualhosts",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/environments",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/environments/*",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/developers",
    "permissions" : [ "get", "put" ]
  },
  .......
  .......
]}

3) Execute the following command to add only a GET permission on the transaction recording resource:

curl -X POST --header "Content-Type: application/json" --header "Authorization: Basic {base64-encoded-value-of-orgadmin-userid:password}" -d "{\"path\" : \"/products/*/txrecordingpolicy\",\"permissions\" : [ \"get\"]}" "https://api.enterprise.apigee.com/v1/organizations/{org-name}/userroles/{role-name}/permissions"

4) Verify that the permissions have been updated for this role:

curl -X GET --header "Authorization: Basic {base64-encoded-value-of-orgadmin-userid:password}" "https://api.enterprise.apigee.com/v1/organizations/{org-name}/userroles/{role-name}/permissions"

You should now see a response like this:

{
  "resourcePermission" : [ {
    "organization" : "some-org",
    "path" : "/environments/*/virtualhosts/*",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/environments/*/virtualhosts",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/environments",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/environments/*",
    "permissions" : [ "get" ]
  }, {
    "organization" : "some-org",
    "path" : "/developers",
    "permissions" : [ "get", "put" ]
  },
  .......
  .......
  , {
    "organization" : "some-org",
    "path" : "/products/*/txrecordingpolicy",
    "permissions" : [ "get" ]
  } ]

]}

If the person in that role logs into the org & clicks on the "Edit Transaction Recording Policy" button it will throw an error - "Insufficient permissions...". If they try to "Add Transaction Recording Policy" they wont be able to click on the "Save" button & save the transaction recording policy.

Former Community Member

@deanxcobb did that work for you?

Report Inappropriate Content

Yes, it can work as you identify, however, I agree that having to view "error" messages is not an optimal experience for developers.

Based upon user experience being optimal, we are discussing internally.