In our zero-trust world, we limit the level of access to our resources. This is the case for your domain users and should also be the case for all of the API clients as well.
From the earliest versions, the Secure Access Cloud team insisted on mirroring all of the capabilities available in the Application and Admin portal to the API.
This is especially relevant when automating processes, Secure Access Cloud allows Devops engineers to provide secure access to a newly created server, fast, easily and with no human interaction. Simply add the Secure Access Cloud Trust certificate into the golden image and write a small script to automatically publish any SSH application. The same is also true and as easy for web applications. Following the creation, all of the authorized users can leverage their existing identity in the Secure Access Cloud and seamlessly access the newly created applications. A great example can be found in knowledge base article TECH254768.
But should everyone be permitted the same level of access?
The above scenario requires full API access to the SECURE ACCESS CLOUD management portal but let’s consider the following:
A customer requires to provide a secure method of connection to their SOAP/ REST API application. This is a standard application and this is the equivalent to authorizing a user to access an application through the application portal, it should not allow the user to access the admin portal.
You can see a great example of the above flow with step by step guidance at TECH254811.
The last scenario I wish you to consider is for monitoring and data analysis purposes. A customer that requires information about the usage, health or anything else stored in the Secure Access Cloud database regarding the applications, users and assignments can easily create a query based on API “GET” requests. It’s a hybrid state where the API Client is authorized to access the Management API but can’t change any of the configuration.
Following the above, it’s my pleasure to Introduce the new Secure Access Cloud read-only API access.
Today, when creating an API client, you can choose the level of access this API client will receive, eliminating unwanted risks and unplanned mistakes, providing a way of maintaining the least privilege approach when required to query the Secure Access Cloud management API.
Under settings, API Clients, click the create button.
After providing a meaningful name and description you will need to select the API Level of permission
- Don’t allow access to Secure Access Cloud management API - Will allow the admin to assign an API Client to be provided with access to any application in the application portal.
- Allow read-only access to Secure Access Cloud management API – will allow the API Client to only execute “GET” requests only, reflecting what is happening in the Secure Access Cloud without the ability to change any of the configurations.
- Allow full access to Secure Access Cloud management API – Full admin privileges.
We are working towards a more granular Role Based Access Control API client and would like to hear your use cases and needs. Reply below with suggestions and we will review and consider each and every one.
Thank you for taking the time and helping us improve our product.