We should open our webservice access to an account to create change orders in Service desk, i have given access to the SOAP webservices but i want to restrict them to use only the method used for creating the ticket.
Could any one suggest how to restrict the users or how to open only few methods in soap.
One way of restricting this is to use the impersonate a user with much lower access. Check the webservices documentation, you should get info on the impersonate webservice method.
I think you can use the soap method 'impersonate()' method to impersonate with following two parameters i.e
SID - Integer - Identifies the session retrieved from logging in.
username - String - (Required) Identifies the user name of the user being impersonated.
Invoking this method is allowed only if the current web services session is started by using the PKI access authentication scheme and the access policy is defined to allow impersonation.
How the Impersonate will help to construct the restiction on few web services like createcontact only
could you please explain little more.
First, the user you impersonate will have an Access Type.
On the Administration tab, under Security and Role Management, Access Types, view that Access Type
On tab 3. Roles of the Access Type you will see "REST Web Service API Role".
On the Administration tab, under Security and Role Management, Role Management, Role List, view that Role.
On tab 1. Additional Information, sub-tab 2. Function Access, modify the Function Access you want for that Role.
You need some admin access in order to be able to use the impersonate method.
This method is to be used by an admin that would like to perform some actions in the context of that "impersonated" user vs.applying security.
To apply security for that contact using web services you will create a specific functional access / data partition / roles and apply this role to the corresponding or newly created access type for the web service you want to use (SOAP and/or REST).
When the contact login to the web service with the credentials linked to this access type then your security will be applied exactly the same that in the web interface.
For SOAP, You may also want to increase security around the authentication itself you may also use key and exchange certificate vs. using basic authentication and will then set this contact as the proxy contact of your corresponding policy.
All this is documented in the implementation guide and coding examples are available in the samples/sdk folder.
Hope this help/clarify