Docs‎ > ‎CA Live API Creator‎ > ‎

Security

Security enables you to control data access down to the row and column instance level.  You configure Security using the API Creator security screens described here.

API Creator provides:
  • Authentication to control who is allowed to access the system, and
  • Authorization to control what rows and columns they can see and change.  
The Security Examples illustrate using these features.

This page describes several security concepts that you will need to understand to make effective use of the security services.


Admin vs. App Security

Admin Security is essentially authentication with "root privilege" (e.g. admin account) to the system, providing the ability to alter logic, define security, and so forth.  You can define Admin Users with Admin Accounts (control passwords here).

The discussion below is a completely different topic.  It pertains to App Security, namely, who can access the API (the data, such as by Live Browser), and what are they authorized to do.  Such users are not provided access to the definitions of security, resources, logic, and so forth.


Overview

Authentication is illustrated below:
  1. Owners/Administrators define Role Permissions and Custom Auth Providers, which are stored in the Admin DB
  2. Applications post credentials to a special end point (@authentication) to obtain an Auth Token ID
  3. The API Server invokes the Custom Auth Provider
    • The Default Authenticator looks up Users defined in the API Creator.  This is most appropriate for development
    • Your Custom Auth Provider is passed the credentials (e.g., name and password), and looks it up in the Corp Security System (e.g. LDAP, Active Directory, oAuth, etc) to obtain of set of authorized Roles (also often called Groups).
  4. The API Server creates an Auth Token, containing the Roles, Globals etc, and stores these in the Admin DB.  Thus makes is available to all API Server nodes in a cluster
  5. The Auth ID Key is returned to the client, who passes it in the header of subsequent requests; the API Server uses it to enforce Role Permissions.

Auth Tokens

An Auth Token typically represents an authorized user, and defines the set of Roles to which the user is authorized.  

Role

Each role defines Permissions for table access.  There are usually far fewer roles than users, so Roles make administration much simpler than assigning authorization directly to Users.

As shown here, Permissions include both Predicates for row access, Columns, and Access Type to determine the operations allowed.  A role is authorized to the union of its permissions, and an Auth Token is an authorized union of all is role-based permissions.

Globals

A particularly important concept is the set of Globals.  Defined for a role, these variables can be used in Predicates and Rules.  They can be named values, or database rows.

Communications Security

API Creator provides options for https-based communications.  Please contact us regarding this option.

Service Connectivity

Service connectivity is controlled by your Authentication Provider. 

For further control, API Creator provides options to deploy services within a Private Cloud.  Please contact us regarding this option.

Cross Origin Resource Sharing (CORS)

Unless specifically authorized, JavaScript code can only access the site it was loaded from.  This is designed to prevent a malicious site from accessing servers open on other tabs (e.g., your bank).  CORS is the mechanism to enforce this restriction.

API Creator security is equipped to protect itself against such attacks, so we provide an HTTP header which stipulates that calls from any JavaScript app (e.g., another tab in your Browser) are accepted.

Database Connection Security

API Creator requires access to your database.  Your information is protected by both encryption and salting, using industry standards.

There are two common database location scenarios:
  • Cloud Database - it is becoming the common practice to deploy databases in the cloud, for automated maintenance and administration.  To minimize latency, select an API Creator Service on the same cloud provider and region as your database

  • On-premise database - where services are required for a database already deployed behind your firewall, contact your network administrator to authorize access by the API Creator. The basic approach is to open a port in your firewall for your database
For On-premise databases, you will need the public cloud IP address of your API Server, which is available through support or the online chat.

Private Cloud

For advanced security, contact us to discuss providing API Server in your private cloud.

On-Premise

For organizations with rigid security requirements, contact CA Technologies to discuss an On-premise API Server configurations.  This will generally not include elastic support to dynamically add servers.

Security Examples

Security is very powerful, and also complicated.  The Business to Business sample illustrates a basic Custom Auth Provider.  Here are some additional examples to consider once you've reviewed the concepts.