Security enables you to control data access down to the row and column instance level. You configure Security using the API Creator security screens described here.
API Creator provides:
This page describes several security concepts that you will need to understand to make effective use of the security services.
Admin vs. App Security
Admin Security is essentially authentication with "root privilege" (e.g. admin account) to the system, providing the ability to alter logic, define security, and so forth. You can define Admin Users with Admin Accounts (control passwords here).
The discussion below is a completely different topic. It pertains to App Security, namely, who can access the API (the data, such as by Live Browser), and what are they authorized to do. Such users are not provided access to the definitions of security, resources, logic, and so forth.
Authentication is illustrated below:
- Owners/Administrators define Role Permissions and Custom Auth Providers, which are stored in the Admin DB
- Applications post credentials to a special end point (
@authentication) to obtain an Auth Token ID
- The API Server invokes the Custom Auth Provider
The API Server creates an Auth Token, containing the Roles, Globals etc, and stores these in the Admin DB. Thus makes is available to all API Server nodes in a clusterThe Auth ID Key is returned to the client, who passes it in the header of subsequent requests; the API Server uses it to enforce Role Permissions.
- The Default Authenticator looks up Users defined in the API Creator. This is most appropriate for development
- Your Custom Auth Provider is passed the credentials (e.g., name and password), and looks it up in the Corp Security System (e.g. LDAP, Active Directory, oAuth, etc) to obtain of set of authorized Roles (also often called Groups).
Each role defines Permissions for table access.
An Auth Token typically represents an authorized user, and defines the set of Roles to which the user is authorized.
There are usually far fewer roles than users, so Roles make administration much simpler than assigning authorization directly to Users.
As shown here, Permissions include both Predicates for row access, Columns, and Access Type to determine the operations allowed. A role is authorized to the union of its permissions, and an Auth Token is an authorized union of all is role-based permissions.
A particularly important concept is the set of Globals. Defined for a role, these variables can be used in Predicates and Rules. They can be named values, or database rows.
API Creator provides options for https-based communications. Please contact us regarding this option.
Service connectivity is controlled by your Authentication Provider.
For further control, API Creator provides options to deploy services within a Private Cloud. Please contact us regarding this option.
Cross Origin Resource Sharing (CORS)
is the mechanism to enforce this restriction.
Database Connection Security
API Creator requires access to your database. Your information is protected by both encryption and salting, using industry standards.
There are two common database location scenarios:
- Cloud Database - it is becoming the common practice to deploy databases in the cloud, for automated maintenance and administration. To minimize latency, select an API Creator Service on the same cloud provider and region as your database
- On-premise database - where services are required for a database already deployed behind your firewall, contact your network administrator to authorize access by the API Creator. The basic approach is to open a port in your firewall for your database
For On-premise databases, you will need the public cloud IP address of your API Server, which is available through support or the online chat.
For advanced security, contact us to discuss providing API Server in your private cloud.
For organizations with rigid security requirements, contact CA Technologies to discuss an On-premise API Server configurations. This will generally not include elastic support to dynamically add servers.
Security is very powerful, and also complicated. The Business to Business sample
illustrates a basic Custom Auth Provider. Here
are some additional examples to consider once you've reviewed the concepts.