Symantec Access Management

Hi
I am trying to make Risk REST API to be accessed without authentication and authorization and I have configured that on "Services and Server configuration" -> "Adminstration Console" -> "Enable Authentication and Authorization For Web Services and RestAPI". All REST API including Risk ones are on the left side which means they do not require authentication and/or authorization.  I have refreshed the cache too.
But when I try to use the REST API "/org/{orgid}/user/{userid}/risk/evaluate", it always requires the authToken as a parameter. 
I have made some tests on other Strong API such as "/admin/orgs/{orgid}/users" which also has this parameter and I do not pass anything to it and it works.
Is there anything else that I should configure to have Risk REST API be available without the need of authToken value?  Or especifically for Risk REST API, this is working as designed and authentication is always required.
I am running AA 9.1.

Regards
Hugo

Hi Hugo,

AuthToken will be required in REST API calls and that can not be disabled as far as i know, for Soap Web services we can Enable/Disable the authToken request but not applicable for Rest API and it will need the authToken.
Original Message:
Sent: 11-19-2019 02:24 PM
From: Hugo Higashi
Subject: authToken parameter for Risk REST API

Hi
I am trying to make Risk REST API to be accessed without authentication and authorization and I have configured that on "Services and Server configuration" -> "Adminstration Console" -> "Enable Authentication and Authorization For Web Services and RestAPI". All REST API including Risk ones are on the left side which means they do not require authentication and/or authorization.  I have refreshed the cache too.
But when I try to use the REST API "/org/{orgid}/user/{userid}/risk/evaluate", it always requires the authToken as a parameter.
I have made some tests on other Strong API such as "/admin/orgs/{orgid}/users" which also has this parameter and I do not pass anything to it and it works.
Is there anything else that I should configure to have Risk REST API be available without the need of authToken value?  Or especifically for Risk REST API, this is working as designed and authentication is always required.
I am running AA 9.1.

Regards
Hugo

Hi Namish, thanks for your reply and comments.
So that means "Enable Authentication and Authorization For Web Services and RestAPI" option is not applied for REST API? 
From what I have tested here is that some REST API such as "/admin/orgs/{orgid}/users" for "Search Users", when it is disabled (on left side of "Enable Authentication and Authorization For Web Services and RestAPI" option), I do not need to inform a value for authToken so I can access it without authentication.
And for  "/org/{orgid}/user/{userid}/risk/evaluate", I have to inform authToken even though it is also on the left side (means authentication is disabled). To be more precise, that is the option "RiskFort" -> "Evaluate Risk (web service)". Some other Risk API web services also requires authToken, not only this one.
I thought if I keep all web services on left side of "Enable Authentication and Authorization For Web Services and RestAPI" option, all web services including REST API would not require authentication but that seems to not be true or maybe there is an issue here.

Regards
Hugo





Original Message:
Sent: 11-20-2019 12:43 PM
From: Namish Tiwari
Subject: authToken parameter for Risk REST API

Hi Hugo,

AuthToken will be required in REST API calls and that can not be disabled as far as i know, for Soap Web services we can Enable/Disable the authToken request but not applicable for Rest API and it will need the authToken.
Original Message:
Sent: 11-19-2019 02:24 PM
From: Hugo Higashi
Subject: authToken parameter for Risk REST API

Hi
I am trying to make Risk REST API to be accessed without authentication and authorization and I have configured that on "Services and Server configuration" -> "Adminstration Console" -> "Enable Authentication and Authorization For Web Services and RestAPI". All REST API including Risk ones are on the left side which means they do not require authentication and/or authorization.  I have refreshed the cache too.
But when I try to use the REST API "/org/{orgid}/user/{userid}/risk/evaluate", it always requires the authToken as a parameter.
I have made some tests on other Strong API such as "/admin/orgs/{orgid}/users" which also has this parameter and I do not pass anything to it and it works.
Is there anything else that I should configure to have Risk REST API be available without the need of authToken value?  Or especifically for Risk REST API, this is working as designed and authentication is always required.
I am running AA 9.1.

Regards
Hugo