Author: Vivek Kumar (vivk@softwareag.com), Srikanth Prathipati (srpr@softwareag.com)
1.Introduction
webMethods Integration Cloud and API Cloud (Gateway and Portal) are part of iPaaS (integration Platform-as-a-Service) offering from Software AG. This document covers the User Management, Access Profiles, Project Permissions, ACLs (Access Control List) to secure the platform (both Integration Cloud and API Cloud).
This article is intended for Cloud Integration Architects, Platform Administrators who would like to secure the platform with the proper Access Permissions.
Integration Cloud supports three dimensional permissions matrix.
- Access Profile: Access Profile specifies a collection of permissions that can be applied to multiple users.
- Project Permission: Project Permissions are used to define custom project specific administrative permissions.
- Access Control Lists: Access Control Lists are used to control the execution permission of an Integration. ACL, through the assigned Access Profiles, specifies the users who are granted the Execute Integration permission.
Users, Access Profile and Access Control Lists are linked with each other whereas Project permissions are linked with Projects and Users. Section 3 provides more details on this.
2. User Management
User Management for all the iPaaS offerings (Integration Cloud, API Gateway, Portal) are managed from Integration Cloud. In future the same would be offered from Software AG Cloud. Integration Cloud also supports Single Sign-On (SSO) to allow users to access the platform from Corportate Identity Provider (IDP). Users identities can be imported into the platform with the SSO configurations.
- IDP Users:
- Users Identities are imported from IDP when the above configuration is enabled
- When users logs in SSO they are authenticated with SAML tokens against IDP
- It is recommended to use IDP users for Platform User Interface (UI) login only but not for API/Integration execution access
- Native Users:
- Native user (Tenant Administrator) is provisioned during tenant creation.
- Native user can be used for both UI and API/Integration access.
- Follow the recommended password policies for the Native users.
For creating the New User follow the below steps from Settings. If you want to create user for a Developer, make sure the user is assigned to right Project Permissions. Access Profile can be assigned with minimum functional permissions. This would explained in Section.5 – Sample Use cases.
-
Audit Log : A security Audit Log entry will be audited when a user (IDP/Native) logs into the platform/ access the API/Integration from an invocation channel. In addition to that all platform operation would also be audited. For example, logs related to additions, deletions, updations, export, schedule, skip, login, logout, password changes, record access attempts, access violations, deployments, restart Integration executions, resume Integration executions, etc.
3. Securing Integration Cloud
- Access Profiles: Access Profile specifies a collection of functional permissions that can be applied to multiple users.
- Associated with Permission Matrix
- Administrative permissions to be associated with Access Profile is classified into three categories;
- Global Permissions
- Functional Controls
- Project Permissions
For example; Please refer to appropriate configurations from the below screenshot
- Many to many mappings with ACL. Access Profiles can be mapped to multiple ACLs.
It is recommended to have different Access Profiles for Platform Administrator, Developer and DevOps Engineers. DevOps engineer can have different Access Profile for Monitoring purpose (read only).
Types
|
Description
|
Recommended?
|
Comments
|
Global Permissions
|
|
|
|
User Management
|
Allow users to Add, Update, Delete Users, or assign users to Access Profiles
|
Case by case
|
For Platform Administrators
|
Access Control
|
Allow a user to modify Access Profiles, edit ACLs,
specify user application access rights
|
Case by case
|
For Platform Administrators
|
Manage Personal Setup
|
Allow a user to modify the personal information,
and generate or edit the user's own certificate.
|
Yes
|
|
Manage Company Capabilities
|
Allow users to modify the company information.
|
Case by case
|
For Platform Administrators
|
Allow User Interface Access
|
Allow users to log in to Integration Cloud and access the user interface
|
Yes
|
Except for API users
|
Manage Audit Log
|
Allow users to view the Audit Log
|
Case by case
|
For Platform Administraror
|
Functional Controls
|
|
|
|
Deploy
|
Allow users to Deploy assets
|
Case by case
|
DevOps users
|
Export
|
Allow users to Export assets
|
Yes
|
Except Monitor users
|
Stages Administer
|
Allow users to Manage Stages (create/delete)
|
Case by case
|
For Platform Administrators
|
Advanced Security Administer
|
Allow users to configure advanced security
|
Case by case
|
For Platform Administrators
|
Upgrade
|
Allow users to upgrade Applications
|
Case by case
|
For Platform Administrators
|
Solution Create/Update/Delete
|
Allow users to Create/Update/Delete
|
Case by case
|
For Platform Administrators
|
Project Permissions
|
|
|
|
Accounts Create/Update/Delete
|
Allow users to Create/Update/Delete Account
|
Yes
|
Except for API access and Monitor Users
|
Operations Create/Update/Delete
|
Allow users to Create/Update/Delete Operations
|
Yes
|
Except for API access and Monitor Users
|
Reference Data Create/Update/Delete
|
Allow users to Create/Update/Delete Reference Data
|
Yes
|
Except for API access and Monitor Users
|
Document Type Create/Update/Delete
|
Allow users to Create/Update/Delete Document Type
|
Yes
|
Except for API access and Monitor Users
|
Integrations Create/Update/Delete/Execute
|
Allow users to Create/Update/Delete Integrations
|
Yes
|
Except for API access and Monitor Users
|
REST APIs Create/Update/Delete/Execute
|
Allow users to Create/Update/Delete REST APIs
|
Yes
|
Except for API access and Monitor Users
|
SOAP APIs Create/Update/Delete/Execute
|
Allow users to Create/Update/Delete SOAP APIs
|
Yes
|
Except for API access and Monitor Users
|
Listeners Create/Update/Delete
|
Allow users to Create/Update/Delete Listeners
|
Yes
|
Except for API access and Monitor Users
|
Project permissions are used to associate permissions with projects. Any new project created is automatically associated with the "Developer" project permission profile. If a project permission profile is associated with a user on the user profile page, the user can perform only the permitted tasks in the mapped project.
- Associated with Project Permission Matrix. For example; Please refer to appropriate configurations from the below screenshot.
- Project permission can be mapped to multiple users.
- It is recommended to use Project Permissions only for development activities and hence it is not required to associate this for stages.
Use Access Control Lists (ACLs) to control the execution permission of an Integration. ACL can be mapped with multiple Access Profiles. It is recommended use custom ACLs (not Default) for API/Integration access.
Access Profile/Project permission/Environment
Matrix
|
Development
|
Test
|
Prelive
|
Live
|
Administrator
|
Yes
|
Yes
|
Yes
|
Yes
|
Developer/Project Permissions
|
Yes
|
|
|
|
DevOps
|
Yes
|
Yes
|
Yes
|
Yes
|
4. Securing API Cloud
- Access Profiles: API Management requires the below permissions for the Access Profile.
- The created Access Profile should be associated with at-least one stage as mentioned in the earlier sections. It is recommended to have different Access Profiles for API Gateway Administrator, API Gateway Providers, API Portal Administrators and API Portal Providers. These are offered by the platform out of the box. Administrative permissions that can be associated with different Access Profiles are below.
Types
|
Description
|
Recommended?
|
Comments
|
API GATEWAY
|
|
|
|
Functional Controls
|
|
|
|
APIs Manage
|
To create and manage APIs.
|
Yes
|
Except for Monitor role
|
APIs Publish to API Portal
|
To publish assets to API Portal.
|
Yes
|
Except for Monitor role
|
APIs Activate/Deactive
|
To activate, deactivate and manage APIs.
|
Yes
|
Except for Monitor role
|
Applications Manage
|
To create and manage applications and register applications with the APIs.
|
Yes
|
Except for Monitor role
|
Manage aliases
|
To create and manage aliases.
|
Yes
|
Except for Monitor role
|
Manage Global Policies
|
To apply a global policy to all APIs or the selected set of APIs.
|
Case by case
|
API Administrators only
|
Activate/Deactivate Global Policies
|
To activate and deactivate global policies.
|
Case by case
|
API Administrators only
|
Manage Policy Templates
|
To apply one or more policy templates to an API.
|
Yes
|
Except for Monitor role
|
Manage Threat Protection Policies
|
To prevent malicious attacks on applications that typically involve large, recursive payloads, and SQL injections.
|
Case by case
|
API Administrators only
|
Package & Plans Manage
|
To create packages and plans, associate a plan with a package, and associate APIs with a package.
|
Case by case
|
API Administrators only
|
Package & Plans Activate/Deactivate
|
To activate and deactivate packages.
|
Case by case
|
API Administrators only
|
Import Assets
|
To import already exported APIs, application, policies, and aliases by selecting Username > Import in API Gateway.
|
Yes
|
API Developer
|
Export Assets
|
To export assets to your local system.
|
Yes
|
API Developer
|
View Configurations
|
To create and manage administration configurations.
|
Yes
|
This is the only configuration to be enabled for Monitor role
|
Manage General Configurations
|
To manage general configurations.
|
Case by case
|
API Administrators only
|
Manage Security Configurations
|
To create and manage security configurations.
|
Case by case
|
API Administrators only
|
Manage Destination Configurations
|
To publish events and performance metrics data to the configured destinations.
|
Case by case
|
API Administrators only
|
Manage System Settings
|
To create and manage system settings.
|
Case by case
|
API Administrators only
|
Purge/Restore Runtime Events
|
To purge and restore events from the API Gateway store by setting the required date or duration in API Gateway.
|
Case by case
|
API Administrators only
|
Manage Service Result Cache
|
To manage caching of the results of API invocations depending on the caching criteria defined.
|
Case by case
|
API Administrators only
|
Manage Promotions
|
To add, modify, and delete API Gateway stages, or move API Gateway assets from the source stage to one or more target stages
|
Case by case
|
DevOps
|
API PORTAL
|
|
|
|
Administrator
|
To manage all API Portal administrative tasks.
|
Case by case
|
API Administrators only
|
Provider
|
To manage all API Portal provider tasks.
|
Yes
|
Except for Monitor role
|
Based on the public/private communities managed on API Portal, more fine-grained roles can be provisioned.
- Access Control Lists: Use Access Control Lists (ACLs) to control the execution permission of an Integration. ACL, through the assigned Access Profiles, specifies the users who are granted the Execute Integration permission.
Access Profile/Environment
Matrix
|
Development
|
Test
|
Prelive
|
Live
|
API Gateway
Administrators
|
Yes
|
Yes
|
Yes
|
Yes
|
Developer
|
Yes
|
|
|
|
API Portal
Administrators
|
Yes
|
Yes
|
Yes
|
Yes
|
API Portal
Provider
|
Yes
|
Yes
|
Yes
|
Yes
|
DevOps
|
Yes
|
Yes
|
Yes
|
Yes
|
5. Sample Use case - Creating Access Profile for Developer:
- Access Profile for Developer requires – project permissions for developing integrations, APIs, Applications (if the restriction needs to be applied on certain projects). Default Project is in general is intended for shared access between multiple development teams. Hence this is offered as part of Access Profile. An Access Profile can be created with such permission as shown below and can be associated with the developers.
- Go to Settings > Access Profiles > Add New Access Profile > Administrative Permissions and select the default permissions to be assigned for developer in webMethods Integration Cloud.
Please find below sample for the same.
From API Management prespective, Developer would also need permision to Manage the APIs (create, update, delete). This is required especially on Developement API Gateway Tenant. This requires the below permissions.
- In addition to this, new Project permissions can be created for each Project. To create the Project Permission,
Go to Settings > Project Permissions > Add New Project Permissions. Select the Project to give permissions and Click on ‘+‘ icon. Select all the permissions.
- Associate Access Profile and Project Permission to Users: The Access Profile created above has to be mapped with the User. To create the user with associated Access Profile; Go to Settings > Users > Add New User, select the Access Profile and required Project Permission
#integrationcloud#webMethods#wiki#webMethods-io-Integration