IBM API Connect (APIC) has long supported GraphQL for building and consuming modern APIs. Now, it takes a significant step forward with the introduction of user management capabilities powered by Role-Based Access Control (RBAC) within the GraphQL interface. This new feature allows administrators to efficiently manage users, roles, and permissions.
Why MCSP IAM?
MCSP IAM is our internal identity and access management solution, purpose-built to offer secure, scalable, and centralized control across services.
It is designed to handle a wide range of access control needs, including:
- Account, Subscription, and Service Instance Level Control: Granular access enforcement across different organizational layers ensuring users only access what they are entitled to, based on their account, active subscriptions, and specific service instances.
- Fine Grained Role and Action-Based Permissions: Ability to define atomic-level actions and map them to custom roles for precise access management.
- User and Group Management: Centralized management of individual users and user groups, enabling scalable permission assignments across teams and environments.
- RBAC Support: Full-featured Role-Based Access Control system to assign roles to users and user groups.
- User Authentication and Authorization: Secure login and access workflows using IDP and API key-based methods.
- JWT-Based Access Control: Stateless authentication that allows services to validate users and roles without needing session stores.
This comprehensive feature set made MCSP IAM the perfect choice for APIC for GraphQL’s requirements, especially for controlling product specific actions and ensuring secure, role-aware access across both CLI and dashboard interfaces.
Integration Challenges
As we began integrating MCSP IAM into APIC for GraphQL, several key requirements and challenges surfaced:
- Product-Specific Actions: APIC for GraphQL has unique actions at the product level. These actions needed to be embedded within the JWT token to enable fine-grained access control.
- One-to-One Mapping: A direct mapping between MCSP IAM service instances and APIC for GraphQL environments was essential for clear and secure role enforcement.
- API Key Management: Each user has a unique API key to prevent key sharing and ensure secure access.
- Multiple Login Flows: Our product supports both CLI and Dashboard interfaces. We needed to support two different login flows IDP based login for the Dashboard and API-key based login for CLI.
- Environment Switching: Users must be able to switch between environments seamlessly.
All these requirements are now effectively supported by MCSP IAM.
How We Integrated MCSP IAM with APIC for GraphQL
The integration involved several technical steps and design choices:
- Action Mapping: We identified various product-level actions to enforce control at the most granular level. This enabled atomic-level permissions.
- Custom Roles & Actions: Using MCSP IAM, we defined custom roles and actions tailored to APIC for GraphQL's operational model.
- APICGQL Administrator: This role has full privileges, including access to endpoint creation, deletion, listing, and viewing analytics.
- APICGQL Developer: This role has limited privileges. It does not have access to analytics and cannot delete endpoints.
- Service Owner: This role includes all the privileges of the APICGQL Administrator role, with additional access to view the Admin Key and API Key for APIC for GraphQL.
- Service Instance Mapping: Established a one-to-one mapping between the MCSP IAM service instance and each APIC for GraphQL environment.
- JWT Token Usage: JWTs are now used for both admin and API requests, enabling dynamic user role resolution and access control.
- Centralized User Management: All user and environment management responsibilities have been transitioned to MCSP IAM, eliminating manual setup and access provisioning.
- Key Management Simplified: API key creation and lifecycle are now handled via MCSP IAM's service instance APIs, removing product-side key generation logic.
- Login Mechanisms:
- Dashboard: Uses IDP-based authentication integrated with MCSP IAM. Product-level actions are scoped via the IAM token.
- CLI: Updated to use MCSP IAM's service instance with API key-based authentication.
How Can a Customer Share an Instance and Assign Roles?
To share an instance and assign roles to a user in IBM API Connect on AWS SaaS, follow these steps:
- Log in to the AWS SaaS Console.
- Navigate to User Management.
- Select the user you want to share the instance with.
- Choose the appropriate:
- Service
- Subscription
- Instance
- Assign the desired role to the user — APICGQL Administrator or APICGQL Developer — and ensure the user also has a service-level role assigned.
Important: The user must have access to the account. At a minimum, the Account Viewer role is required.
Please refer to the screenshot below for a visual guide.
Looking Ahead: Future Ready Integration
With this integration in place, APIC for GraphQL is now well-positioned to support iPaaS use cases with zero additional development effort.
Moreover, as soon as MCSP IAM's on-prem solution becomes available, our product will be ready to adopt it for on-premises
deployments—ensuring a seamless transition and consistent user experience across cloud and on-prem environments.
Final Thoughts
This was a challenging yet rewarding integration that significantly improves how access control is handled in APIC for GraphQL.
The move to MCSP IAM not only simplifies operations but also prepares our product for future scalability and enterprise-grade
integrations.
We're excited about the road ahead, and I look forward to sharing more updates as we continue building on this foundation.