4.3 Restricting Access to APIs with Access Manager Scopes and Roles in the Publisher

You can create the resource servers and scopes before or after you create the APIs in the Publisher. At some point in the process, you must associate the scopes in Access Manager with the APIs or specific API endpoints defined in the Publisher to control access to the APIs or the specific API endpoints.

You can associate a single scope with one or more APIs, all of the endpoints in an API, or with a specific API endpoint. Attempting to reuse a scope that is already in use causes the Publisher to display an error message. To limit access to an API, you must assign the scope to the API and assign the scope to the single API endpoint in the API. You can assign the same scope to multiple endpoints in an API or you can assign different scopes to the different endpoints in the API if you want different users accessing the different endpoints.

Every API has at least one API endpoint. You must assign the scope to the API, which does not limit any access to the API. Next, you must assign the scope to the API endpoint or to multiple API endpoints to control access to the API.

To associate the scope with the API or specific API endpoints:

  1. Log in to the Publisher using an administrative account.

    https://lifecycle-manager-dns-name:9444/publisher

    The dns-name is the fully qualified host name of the appliance running the Lifecycle Manager component.

  2. On an API to which you want to restrict access, click Edit.

  3. Scroll to the end of the page, then click Next: Implement.

  4. Scroll to the end of the page, then click Next: Manage.

  5. Assign a scope to the API using the following steps:

    1. Under Resources, click Add Scopes.

    2. In the Scope Key field, select the associated Access Manager scope from the drop-down list.

    3. Specify a display name for the scope that appears in the Publisher.

    4. In the Roles field, select the Access Manager role or roles that controls access to this API or the additional API endpoints.

    5. Specify a description for this list of roles. Assigning a description to the list of roles helps you to know what roles are in this list.

    6. Click Add Scope.

  6. Assign a scope to the API endpoint or assign the scope to multiple API endpoints using the following steps:

    1. Under Resource, on the single API endpoint, click +scope to limit the access to the API.

    2. Click the drop-down menu, then select the appropriate scope.

    3. Click the check mark to save the assignment and limit access to this API endpoint.

    4. (Conditional) If you have multiple API endpoints, and you are using the same scope, repeatStep 6.a through Step 6.c for each API endpoint.

    5. (Conditional) If you want to have different roles control access to different API endpoints in the same API, repeat Step 5.a through Step 5.e to add the new scope, then repeat Step 6.a through Step 6.c to assign the different scopes to the API endpoints.

  7. Click Save to continue making changes to the API at a later time or click Save and Publish to make the API and the API endpoints available for users to access.