🖍️
Dataloy VMS API Documentation
API Release 8.6
API Release 8.6
  • Dataloy VMS API
  • Dataloy Rest API
    • What is it?
    • Authentication / Authorization
    • Getting Started
    • Data Model
    • Filtering
    • Sorting
    • Pagination
    • Adjust Number of Fields to be Returned from a Request
    • Webhooks
      • Webhook example
      • Expressions Made Easy
      • Webhooks - New functionalities
    • Master data Objects
    • Attachments
    • Audit Log
  • User Guides
    • Accounting Integration API
      • Invoicing
      • Payments/Receipts
      • Voyages
      • Business Partners
      • Exchange Rates
      • Bunker Transactions
      • Actuals
      • Autopost Invoices
      • Accruals
    • Schedule API
    • Bunker Order Integration API
    • Service Order Integration API
    • Vessel Report
      • Overview
      • Legacy version (6.26 - 6.28)
      • Vessel report master data
    • Bunker Consumption API
    • Left join in API queries
    • Enterprise functionalities
      • Versioning
      • Endpoint access control
      • Data access control via target object
      • Data access control via target object and security role
      • Data access control at object level
      • Fields access control
      • Alert Scripts
      • Websockets
      • Bulk Deletion
      • Copy objects
      • OR and AND operators in API queries
      • Sub queries
      • XML Transformation
      • Expressions
      • Bulk Update
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. User Guides
  2. Enterprise functionalities

Endpoint access control

PreviousVersioningNextData access control via target object

Was this helpful?

Is possible restrict access to any endpoint.

In order for a user to get access to a given API Endpoint, the user must belong to a SecurityRole that has a SecurityPermission for the API Endpoint.

he endpoint access control is done also against the objects requested using the fields JSON in the HTTP Header. So for instance if the endpoint Vessel.GET is present and the user does not belong to a SecurityRole that has a SecurityPermission for the Vessel.GET endpoint, requesting the Voyage resource specifying the following JSON in the fields parameter will get unauthorized (HTTP 401):

{ 
   "vessel":{ 
      "vesselName":"*",
      "auxEngine":"*"
   }
}

If the same user requests with the following JSON, it will get access because vesselName attribute is part of the minimal view of Vessel resource:

{ 
   "vessel":{ 
      "vesselName":"*"
   }
}

The same access control is performed when a WebhookSubscription is requested. If the user tries to subscribe for an object that has an Endpoint in the system, the subscription will be created only if the user can access to the Endpoint, otherwise Bad request (HTTP 400) exception will be thrown.

To create a new Endpoint it has to be used the endpoint /ws/rest/Endpoint posting a JSON like this:

{
    "resourceName": "Vessel",
    "path": ".",
    "httpMethodType": "GET"
}

To create a new SecurityPermission it has to be used the endpoint /ws/rest/SecurityPermission posting a JSON like this:

{
    "endpoint": 335928937,
    "permissionName": "Bank.GET",
    "permissionType":  335343886
}

To create a new SecurityRole. Post the following JSON to /ws/rest/SecurityRole:


{
    "roleName":"testRole"  
}

To add a SecurityPermission to a SecurityRole. Post the following JSON to /ws/rest/SecurityRole:


{
    "securityPermissions": [
        {
            "key":335928939
        }
    ]
     
}

To add a SecurityRole to a User. Post the following JSON to /ws/rest/SecurityRole:


{
     
    "securityRoles": [
        {
            "key":335927922
        }
    ]
}