4.1 Understanding How Secure API Manager Uses the Access Manager Scopes and Roles to Determine API Access

Secure API Manager allows you to make APIs accessible to the public or limits access to the APIs. To make APIs available to the public means that anyone who knows the full path to the API can call the API. Secure API Manager integrates with Access Manager to provide OAuth2 tokens for any requests to the APIs. This is a separate point of integration with Access Manager than controlling specific users to be able to access the APIs. For more information about OAuth2 authorizations, see How Secure API Manager Works in the NetIQ Secure API Manager 1.0 Installation Guide.

Secure API Manager uses the Access Manager roles and scopes to control access to the APIs and specific API endpoints. This way you do not have to create and manage additional accounts or roles for users to access and use the APIs.

To control access to the APIs you must create one scope for every API. If you have multiple API endpoints, you can also use one scope to control access to all of the API endpoints. You would create a different scope for an API endpoint if you want a different set of users to be able to access a specific API endpoint. Otherwise, it is a one-to-one relationship between the API and the Access Manager scope. You cannot use the same scope for multiple APIs or for multiple API endpoints associated with different APIs. The Publisher displays a error message if you try to associate a scope already in use. You associate the Access Manager roles with each scope to control the access to the APIs and the API endpoints.

The following graphic depicts how Secure API Manager integrates with Access Manager to control access to the APIs.

Figure 4-1 How Secure API Manager integrates with Access Manager to control access to the APIs

The workflow shows how Secure API Manager controls access to the APIs through the Access Manager scopes:

  1. An application, service, or client makes a call to the API and that request includes and access token.

  2. The API Gateway presents the access token to the token validator for Secure API Manager.

  3. The token validator obtains the scope and roles associated with the target API or target API endpoint.

  4. The token validator obtains the scopes that are defined in the access token.

    1. The token validator checks the access token to see if it contains the required scopes for access.

    2. If the require scopes are not present, Secure API Manager denies the application, service, or client access to the API.

    3. If the required scopes are present, the token validator proceeds with additional evaluations.

  5. The token validator obtains the roles that were associated with the scope in the API definition.

  6. The token validator obtains the user’s roles from Access Manager using the access token.

  7. The token validator checks to see if the user has all of the required roles.

    1. If the required roles are not present, Secure API Manager denies the client access to the API.

    2. If the required roles are present, Secure API Manager allows access if the checks of the scope and the roles match the information in the access token.