Allow unorthorised access to a single REST service

Question

Question

Simon Barker · Aug 4, 2020

#REST API #Access control #Security #Ensemble #HealthShare

Hi,

I've added a REST service which worked fine on our test system but failed on the production environment because UnknownUser does not have %All set and I really don't want it set on production (in fact I've also switched it off on test).

Is there a way to allow a single REST service to have unauthorised access?

I was thinking adding a resource/role to UnknownUser specifically for that service but I've never touched on Users/Roles/Resources so I'm struggling to work out what needs adding where.

Thanks

Discussion (2)1

Log in or sign up to continue

Timothy Leavitt · Aug 4, 2020

A good approach is adding application and/or matching roles for the web application (in the web application's security configuration).

An application role is granted to users of the web application while in that context only. A matching role provides additional privileges to users holding a particular specified role.

A lazy approach would be adding %All as an application role, but that likely exposes too much. This is better than giving UnknownUser %All, for sure, but it's best to provide more granular roles than %All (in this case and more generally) - say, a role that provides Read access on the namespace's default routine DB and R/W on the namespace's default global/data DB.

2 0

score 0 · Answer 1 · 2020-08-04T09:15:56-04:00

That got it. I'd added most of it already but hadn't made the final connection to assign the Namespaces default DB.

Many thanks for your help.