SAP API Management: Managing Application Developers and their access to API Products
Developer Portal is the place where your Application Developers land looking for the API Products you have published. They have the means to test the APIs and further on can go ahead and consume them by creating an Application which grants them the required credentials.
Now, would you want all your Application Developers to see all the API Products that you have published? The answer is not always a Yes. You may have a few Technical API Products that are to be visible to the technical Developers from your organization only. You may have some Marketing API Products that are to be visible only to your Marketing department. In such cases where you want to control the visibility of the API Products based on a persona that an Application Developer plays or the department she belongs to, you can use the new feature of associating Permissions in API Products to control the access.
Let’s see how we could get this done in conjunction with the standard SAP Cloud Platform feature of Custom Roles.
Creation of Custom roles
After you identify a department or a persona which needs exclusive access to one or more API Products, create a Custom Role under the Developer Portal application in the SCP cockpit corresponding to that. Let’s say Marketing department has such a requirement and hence you create Role.Marketing. This activity is performed by the account admin.
Association of Permissions to API Products
As a user of API Portal managing API Products you can now go to the PERMISSION tab on any such product that you wish to expose only to the Marketing department and assign the new Custom Role to the Discovery and Subscription actions.
A few points to take note of:
- All the custom roles defined in the Developer Portal application context are available to you to choose from.
- If no permissions are associated to an API Product, it implies there are no usage restrictions and it is visible to all Application Developers on-boarded on to the Developer Portal.
- You have the flexibility to define fine-grained access control; so you can achieve use cases like the API Product being visible to all but is restricted to a specific role for subscription.
Assigning Custom Roles to Application Developers
This is again done in the SCP account cockpit under the Developer Portal application. You can leverage the full capabilities of the Cloud Platform to manage the role assignments.
Access control on Developer Portal
With the permissions associated to API Products and the roles assigned as per your organizations requirements, when an Application Developer visits the Developer Portal, the access controller comes into action either granting or restricting access.
Hope this blog gave you an overview of how you can now manage who sees what on the Developer Portal.
If you have any questions or feedback do leave a comment and I will get back. Thanks for reading 🙂
Security is a tricky thing. I can see this not working if the developer has a role that would allow it somewhere else in their profile.
Interesting read. I'm a design/functional/technical type person so of course, I want to see it all. 🙂
Thanks for stopping by to provide feedback. Since both the Developer Portal UI and the APIs check for access restrictions, the probability that the developer will by-pass the security seems unlikely. There is no other means to get access to the API products in API Management apart from these two means.
How are non SAP related developers able to join the developer portal? I gave them our API developer portal URL but it's always asking for an SCP account which they don't have. Should they have an account in SCP??
Thanks in advance.
They need to have an account in SAP (you can register at http://scn.sap.com). This is a prerequisite to get access to Developer Portal. Once this is done, accessing the Developer Portal URL will redirect to the registration page.
Hope this clarifies!
Thanks for the article. I'm able to publish the Product, and I created the custom role, but when I try to assign the role to the Product (via the Discovery and Subscription action), I'm getting an error "Unable to update Permissions for the Product" with no details. Any idea why I'm getting this? I have the APIPortal.Administrator role.
Thanks In Advance,
This is strange, just make sure that your session hasnt expired or your connectivity in general is intact. If the issue persists and you are seeing this on a production account, please reach out via to ticket to OPU-API-OD-OPS to check the logs
First Thanks a lot for preparing this article ,really helpful.
I had one query I could see API Portal(Roles& Destination) and tried creating a custom role there but not sure how to add the permission and also the benefit to do so.
Would be really helpful.
Thanks in Advance,
Creation of custom roles in API Portal doesnt have a compelling usecase as of now. However, this is a capability that is available to all applications on SAP Cloud Platform and hence you are able to see it as well. You can ignore this for the time being
Thanks a lot. Much appreciated .
Thank you for the blog. We followed the steps in the blog and created a custom role in BTP-Instances and Subscription->Subscription->Roles but it is not showing up on API Portal Product configuration->Discovery. Please advise us.