This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Data Masking configuration for API specific level permission is not working

Posted on 10-06-2020 05:08 AM
ghassanbarghout
New Member
Reply posted on --/--/---- --:-- AM

Our administrator gave developers permission for data masking on organization level and on api level. However I still get 403 forbidden on the api level masking configuration. The organization level configuration is working.

I checked the permission reference sheet

https://docs.apigee.com/api-platform/system-administration/permissions#data-masks

It has the path 

/applications/*/maskconfigs

It seems different from the API provided in the documentation

https://docs.apigee.com/api-platform/security/data-masking

which has the path

https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs
Solved Solved
0 5 417
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi @Ghassan Barghouti,

Firstly, the term `applications` in the resource permissions applies to `apis` in the Edge API URL, that's a historical artifact.

Secondly, there appears to be an issue with `maskconfigs` and custom roles at the API Proxy level.

I created a custom role `AllowMaskconfig` and set the following permissions which did not work.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] },
        { "path": "/applications/features-v1/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/applications/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }
    ]
}

Then, I tried this, which did work.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] },
        { "path": "/*/features-v1/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/*/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }
    ]
}

If you assign this role to a user in the built-in `User` role, that user will now be able to create maskconfigs at the proxy level just for the `features-v1` proxy. And if you change that path element to `*`, they can create maskconfigs for all proxies.

You can prevent access using a `DisallowMaskconfig` role with these permissions.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [] },
        { "path": "/maskconfigs/*", "permissions": [] },
        { "path": "/*/*/maskconfigs", "permissions": [] },
        { "path": "/*/*/maskconfigs/*", "permissions": [] }
    ]
}

Always fun playing with custom roles!

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Show the exact permissions you have on the role, please?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ghassanbarghout
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I'm one of the Developers. I'm not the admin. Is there a way to get my permissions? Anyway what he has given me is data-masks permissions for both organizational level and api level.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ghassanbarghout
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I contacted him and he just said that he has given me access to everything related to data masks. Could this be a bug? knowing that permission reference has a different API than what is actually needed?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Hi @Ghassan Barghouti,

Firstly, the term `applications` in the resource permissions applies to `apis` in the Edge API URL, that's a historical artifact.

Secondly, there appears to be an issue with `maskconfigs` and custom roles at the API Proxy level.

I created a custom role `AllowMaskconfig` and set the following permissions which did not work.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] },
        { "path": "/applications/features-v1/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/applications/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }
    ]
}

Then, I tried this, which did work.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] },
        { "path": "/*/features-v1/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/*/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }
    ]
}

If you assign this role to a user in the built-in `User` role, that user will now be able to create maskconfigs at the proxy level just for the `features-v1` proxy. And if you change that path element to `*`, they can create maskconfigs for all proxies.

You can prevent access using a `DisallowMaskconfig` role with these permissions.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [] },
        { "path": "/maskconfigs/*", "permissions": [] },
        { "path": "/*/*/maskconfigs", "permissions": [] },
        { "path": "/*/*/maskconfigs/*", "permissions": [] }
    ]
}

Always fun playing with custom roles!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ghassanbarghout
New Member
In response to kurtkanaskie
Reply posted on --/--/---- --:-- AM

Thank you. I guess apigee team need to change that documentation since it is misleading. when /apis/*/maskconfigs were given as a permission it worked. /applications didn't although it said in the documentation that this is what needs to be given to get access for mask configs.

Jump to Solution
0 Likes