Hi Maurizio
We had a short but welcome break, no use taking too long leave while we are stuck at home during lockdown.
In our Portal scenario we have multiple organizations using our Portal. Each one at a different maturity level. From the very low use publishers that find they are happy to use the UI up to the mature teams that does everything using automation with yaml files mapped to PAPI.
If you go the full automation route, then basically we are re-implementing the portal and making use of Jira Service desk as the front-end. In that case, what is the use of the Portal.
Then for the teams that want to the Portal UI, I find the Portal security (in the sense of the approvals and workflow) lacking. I want to see how much of the portal features I can leverage before breaking out into external tools but this would seem not to be possible. So if I have to invest in additional/external software then I would have expected some basic event/webhook integration to initiate those workflows.
As I stated, it is more important for us to control the publishing of APIs than applications. And during these deployments we are still stuck in many cases with legacy thinking of change control, booking deployment time slots. For production deploy multiple approvals are required and in DEV we are happy with a single person approval. The approvals is required for other functions and dependencies to be completed first. e.g. firewall rules, group/role provisioning, backend deployments etc.
I have your contact details, it is also in your signature :-). I do have question on deployment of a single portal with multiple environments. Like the demo video on YouTube of Portal 5.
------------------------------
API Tech Lead
Sanlam
------------------------------
Original Message:
Sent: 01-08-2021 02:58 AM
From: Maurizio Garzelli
Subject: Layer7API Developer Portal approvals
Good day Ewan,
I hope you are well and had a good Christmas break, even though these crazy world health circumstances.
A few weeks ago I was involved with this topic exactly (separation of duties) when it comes to API creation itself via the Portal 4.5.
You are right: there is no approval process per sé when it comes to API creation but there are ways to separate the duties between API development and API deployment, and even have that separation when it comes to which environment yo can deploy to. So you can have a change management process that will allow for one party to be the one developing APIs and deploy on test (for example) and another that is responsible for deployment on QA and another yet that can deploy to Prod.
That way you can have pseudo approval methods, I mean pseudo in regards to what there is for Apps. But still I see them as just as effective.
I would be more than happy to discuss that more together: you know my contact details right? :)
I hope this helps,
Best regards and happy belated new year!
------------------------------
Maurizio Garzelli
APIIDA
APIIDA Chief Technology Advisor APIM
maurizio.garzelli@apiida.com
https://apiida.com
Original Message:
Sent: 01-07-2021 02:07 AM
From: Ewan Sadie
Subject: Layer7API Developer Portal approvals
I would like some clarity in how the portal security implementation works.
In our current portal up to 4.5 my understanding is there is only approval for applications. APIs will either auto deploy without approval or will require an external approval process.
So if we assume that we want to use the portal exclusively (all autodeploy) an API Owner will deploy an API and this will go live without any issue. Now the OrgAdmin creates and Application and approval will go to the request queue for approval. This API is now "live" and can be consumed by that application.
There is now nothing preventing the API Owner from modifying that API without any approval process or anyone even knowing about this if we assume auto deploy.
I can point the API to a different back-end, change the authentication, basically anything that could negate any checks that was done during the initial deploy.
In my view the focus is on the wrong part. The approval focus should be on the API and not the application. All security checks, change control, pentesting etc is linked to the API and not the Application. By allowing the API to be published you kind of have approved the use of this by applications already.
If I sign up to any cloud service and I create an application and select an API from that provider catalogue, I do not wait for someone to approve this first (as long as you can pay).
But the cloud provider I trust will go through thorough testing before allowing that API to be added to the catalogue.
The approval is also not very intuitive besides that it is focused wrong . I would like to be able to have multiple approvers. e.g. business (org admin), technical (lets say portal admin) and security.
There is no way inside of the portal to even integrate this via Webhooks into an external system. I can implement something to poll the portal request queue but then nothing prevent people from approving via the portal.
Are any of these getting looked at in Portal v5, or anything on the roadmap?
------------------------------
API Tech Lead
Sanlam
------------------------------