5 Replies Latest reply on Sep 1, 2021 2:55 PM by Darren Wrigley

    API Write Permission Issue.

    Augustine Ken Active Member

      Hello all,

       

      Here is my Usecase.

       

      The Data Catalog resource access should be Read only for a particular user group. In the EDC UI, the operation allowed is only READ.

       

      But the same user group should be used to UPDATE/WRITE the data objects using REST API calls. Can this be achieved by giving write access to the resource "on the go" and roll back the permission level to read after the write operation is over?.

       

      Is there any other approach that we can try to achieve this?

       

      Error Message:

      Message: com.infa.products.ldm.beans.core.rest.common.exceptions.UnauthorizedCommonException: Cannot access object

       

      Thank you.

        • 1. Re: API Write Permission Issue.
          Darren Wrigley Guru

          since the API will use the access rights granted to the user/group - there is no workaround for that.

           

          I am not sure i understand the use-case.  can't you create a service account that uses the api to update content (like completing a bulk import)

          • 2. Re: API Write Permission Issue.
            Augustine Ken Active Member

            Since the users with read only access will be using the write API operations. We want to keep track of the user who updated the data objects for audit purposes. Using a generic Native user with elevated permission will work to do WRITE API operations, but the asset modified user will be the generic API user in this case.

            • 3. Re: API Write Permission Issue.
              Darren Wrigley Guru

              what is the issue with providing update access via the UI too?

              you can't do both at the moment - e.g. restrict edit from ui but allow using API, since the same privilege is applied to both.

               

              the only option might be to update the access controls (to allow updates), run the api script, then reset the access controls

              • 4. Re: API Write Permission Issue.
                Augustine Ken Active Member

                Hi Darren,

                 

                We want the users to change only some of the custom attributes in the UI. Write Access will allow them to change all the editable attributes. In order to restrict that, we want to keep the user as read-only and edit the selected attributes using API.

                 

                yes, the access control option is the only workaround I thought of. But can this be implemented via API call?.

                 

                Is there an API that will allow for a particular user group to change the resource access permission to write and then roll back to read-only after the PUT/POST operation is over?

                 

                Thanks.

                • 5. Re: API Write Permission Issue.
                  Darren Wrigley Guru

                  you can use

                  GET|PUT /1/catalog/security/accessFilters

                  to get, or create/update access filters