Hello! As far as I understand, REST services created in BAW and exposed externally (as exposed automation services) can be called by anyone who is authenticated on the hosting BAW environment when using basic authentication (see Creating a REST service). There is no way to restrict access to the services to members of certain user groups or teams, correct?

What would be the easiest approach to achieve such a simple team filter to ensure that only certain people can access/use the exposed REST services?

I understand that customizing authentication using TAI would be an option as outlined by @Jens Engelke in another post but this is probably rather complex to implement. Are there any alternative solutions? 

Is there a way to just fetch and use the username provided by the REST call's basic authentication information in the implementing BAW service?

Thanks for your input!

Hello! As far as I understand, REST services created in BAW and exposed externally (as exposed automation services) can be called by anyone who is authenticated on the hosting BAW environment when using basic authentication (see Creating a REST service). There is no way to restrict access to the services to members of certain user groups or teams, correct?

What would be the easiest approach to achieve such a simple team filter to ensure that only certain people can access/use the exposed REST services?

I understand that customizing authentication using TAI would be an option as outlined by @Jens Engelke in another post but this is probably rather complex to implement. Are there any alternative solutions? 

Is there a way to just fetch and use the username provided by the REST call's basic authentication information in the implementing BAW service?

Thanks for your input!

We have a similar need in that we would like a way to selectively authorize service accounts created in the IBM OnCloud environment to only have access to specific REST endpoints exposed through BAW. I've submitted to IBM as an idea - if you feel this could help your use case as well, please vote for the idea:

https://ideas.ibm.com/ideas/ICPFORA-I-377

Hello! As far as I understand, REST services created in BAW and exposed externally (as exposed automation services) can be called by anyone who is authenticated on the hosting BAW environment when using basic authentication (see Creating a REST service). There is no way to restrict access to the services to members of certain user groups or teams, correct?

What would be the easiest approach to achieve such a simple team filter to ensure that only certain people can access/use the exposed REST services?

I understand that customizing authentication using TAI would be an option as outlined by @Jens Engelke in another post but this is probably rather complex to implement. Are there any alternative solutions? 

Is there a way to just fetch and use the username provided by the REST call's basic authentication information in the implementing BAW service?

Thanks for your input!

Hello! As far as I understand, REST services created in BAW and exposed externally (as exposed automation services) can be called by anyone who is authenticated on the hosting BAW environment when using basic authentication (see Creating a REST service). There is no way to restrict access to the services to members of certain user groups or teams, correct?

What would be the easiest approach to achieve such a simple team filter to ensure that only certain people can access/use the exposed REST services?

I understand that customizing authentication using TAI would be an option as outlined by @Jens Engelke in another post but this is probably rather complex to implement. Are there any alternative solutions? 

Is there a way to just fetch and use the username provided by the REST call's basic authentication information in the implementing BAW service?

Thanks for your input!

Please do not misused authentication customization to implement authorization. 

Authentication is the process of finding out if the user is who she claims to be.

If you want to restrict if your service is executed at all or maybe follows different code paths depending on who the authenticated user is, then @Sebastian Tylko's response is the way to go.

While "failing early" is a good practice, you may also want to consider adding authorization logic to "deeper layers" of your application, that is, if you expose something as a REST service, it may invoke another service, which in turn invokes another service etc.

Authorization should be checked at each layer. Why would you have a service in your process app that should only respond to some users, but is executed without conditions? You noticed that lack of due diligence now at the "very outside" while exposing the service as REST, however, the same considerations apply even within your own application logic.

HTH

Jens

Hello! As far as I understand, REST services created in BAW and exposed externally (as exposed automation services) can be called by anyone who is authenticated on the hosting BAW environment when using basic authentication (see Creating a REST service). There is no way to restrict access to the services to members of certain user groups or teams, correct?

What would be the easiest approach to achieve such a simple team filter to ensure that only certain people can access/use the exposed REST services?

I understand that customizing authentication using TAI would be an option as outlined by @Jens Engelke in another post but this is probably rather complex to implement. Are there any alternative solutions? 

Is there a way to just fetch and use the username provided by the REST call's basic authentication information in the implementing BAW service?

Thanks for your input!