Restrict access to hide Devapp keys
How do you configure an org role to be able to view the DevApp configuration but hide the consumer key and consumer secret?
Logically even an administrator "role" login of apigee system should not be allowed to view the keys.
I'm not sure how this can be achieved in simplest way.
This should be basic functionality, I don't know why Apigiee not making this high priority to fix it. we opened a case they simply said this is not available now.
I will say this is a big security hole!
I didn't find any option in the role to do such. You can create one api in Apigee which would be doing management call to get the developer app details and can customize the response what you want to share to the users.
Thanks, this doesn't help my usecase. I need to restrict it in the Edge UI, so that the logged in user is able to view the Devapp but not the app key/secret.
You cannot restrict like that in roles. You have to provide a role using which user cannot see the developer app at all, the user should be provided one API which will provide all the developer app properties other than the key and secret. This is how you can share the information like attribute values and products registered etc. If you don't want to show any information other than the app name, then you don't need to give access to the apps, only access to the product will be fine, in the product user can see it is registered with which apps.
@Priyadarshi Ajitav Jena - If user cannot see the devapps at all based on the role, the devapps wont be listed in the products as well in Edge UI.
Hi, I was recently looking in to this in our onprem solution.. basically with the same motivation as the original poster.
So far I have not found a way to restrict this using custom role.. I have done several attempts at custom roles and unfortunately there is lots of "trial and error".
The custom role documentation is lacking.. one can reference: https://docs.apigee.com/api-platform/system-administration/permissions .. to maybe get some help on it.
My scenario right now is for a role I want to create.
- Should be able to view and edit developer apps.
- Should not be able to view "ConsumerKey" and "ConsumerSecret" for any app.
- Should be able to assign products to developer apps.
App owners "Developers" will be directed to our developer portal where they will see their app credentials and can manage their app.
To me it makes perfect sense that credentials should not be exposed to others then the owner, surely Apigee must have thought of it?
Any feedback on this would be appriciated.
Thanks!
