Skip to Content
Author's profile photo Shruthi M Arjun

SAP API Management: Managing Application Developers and their access to API Products

Introduction

Developer Portal is the place where your Application Developers land looking for the API Products you have published. They have the means to test the APIs and further on can go ahead and consume them by creating an Application which grants them the required credentials.

Now, would you want all your Application Developers to see all the API Products that you have published? The answer is not always a Yes. You may have a few Technical API Products that are to be visible to the technical Developers from your organization only. You may have some Marketing API Products that are to be visible only to your Marketing department. In such cases where you want to control the visibility of the API Products based on a persona that an Application Developer plays or the department she belongs to, you can use the new feature of associating Permissions in API Products to control the access.

Let’s see how we could get this done in conjunction with the standard SAP Cloud Platform feature of Custom Roles.

Creation of Custom roles

After you identify a department or a persona which needs exclusive access to one or more API Products, create a Custom Role under the Developer Portal application in the SCP cockpit corresponding to that. Let’s say Marketing department has such a requirement and hence you create  Role.Marketing. This activity is performed by the account admin.

Association of Permissions to API Products

As a user of API Portal managing API Products you can now go to the PERMISSION tab on any such product that you wish to expose only to the Marketing department and assign the new Custom Role to the Discovery and Subscription actions.

A few points to take note of:

  • All the custom roles defined in the Developer Portal application context are available to you to choose from.
  • If no permissions are associated to an API Product, it implies there are no usage restrictions and it is visible to all Application Developers on-boarded on to the Developer Portal.
  • You have the flexibility to define fine-grained access control; so you can achieve use cases like the API Product being visible to all but is restricted to a specific role for subscription.

 

Assigning Custom Roles to Application Developers

This is again done in the SCP account cockpit under the Developer Portal application. You can leverage the full capabilities of the Cloud Platform to manage the role assignments.

Access control on Developer Portal

With the permissions associated to API Products and the roles assigned as per your organizations requirements, when an Application Developer visits the Developer Portal, the access controller comes into action either granting or restricting access.

Summary

Hope this blog gave you an overview of how you can now manage who sees what on the Developer Portal.

If you have any questions or feedback do leave a comment and I will get back. Thanks for reading 🙂

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Michelle Crapo
      Michelle Crapo

      Security is a tricky thing. I can see this not working if the developer has a role that would allow it somewhere else in their profile.

      Interesting read. I'm a design/functional/technical type person so of course, I want to see it all. 🙂

      Michelle

      Author's profile photo Shruthi M Arjun
      Shruthi M Arjun
      Blog Post Author

       

      Hello Michelle

      Thanks for stopping by to provide feedback. Since both the Developer Portal UI and the APIs check for access restrictions, the probability that the developer will by-pass the security seems unlikely. There is no other means to get access to the API products in API Management apart from these two means.

      Thanks

      Shruthi

      Author's profile photo Iñigo Sacramento Garcia
      Iñigo Sacramento Garcia

      How are non SAP related developers able to join the developer portal? I gave them our API developer portal URL but it's always asking for an SCP account which they don't have. Should they have an account in SCP??

      Thanks in advance.

      Iñigo.

      Author's profile photo Shruthi M Arjun
      Shruthi M Arjun
      Blog Post Author

      Hello

      They need to have an account in SAP (you can register at http://scn.sap.com). This is a prerequisite to get access to Developer Portal. Once this is done, accessing the Developer Portal URL will redirect to the registration page.

      Hope this clarifies!

      Thanks

      Shruthi

      Author's profile photo Richard H. Chan
      Richard H. Chan

      Hi Shruthi,

      Thanks for the article.  I'm able to publish the Product, and I created the custom role, but when I try to assign the role to the Product (via the Discovery and Subscription action), I'm getting an error "Unable to update Permissions for the Product" with no details.  Any idea why I'm getting this?  I have the APIPortal.Administrator role.

       

      Thanks In Advance,

      Rich

      Author's profile photo Shruthi M Arjun
      Shruthi M Arjun
      Blog Post Author

      Hi

      This is strange, just make sure that your session hasnt expired or your connectivity in general is intact. If the issue persists and you are seeing this on a production account, please reach out via to ticket to OPU-API-OD-OPS to check the logs

      Thanks

      Shruthi

      Author's profile photo A. Podder
      A. Podder

      Hello Shruthi,

      First Thanks a lot for preparing this article ,really helpful.

      I had one query I could see API Portal(Roles& Destination) and tried creating a custom role there but not sure how to add the permission and also the benefit to do so.

      Would be really helpful.

      Thanks in Advance,

      Regards

      Abhijit

       

      Author's profile photo Shruthi M Arjun
      Shruthi M Arjun
      Blog Post Author

      Hi Abhijit,

      Creation of custom roles in API Portal doesnt have a compelling usecase as of now. However, this is a capability that is available to all applications on SAP Cloud Platform and hence you are able to see it as well. You can ignore this for the time being

      Thanks

      Shruthi

       

      Author's profile photo A. Podder
      A. Podder

      Hello Shruthi,

       

      Thanks a lot. Much appreciated .

       

      Regards

      Abhijit

      Author's profile photo Senthil Subramanian
      Senthil Subramanian

      Hello Shruthi,

      Thank you for the blog. We followed the steps in the blog and created a custom role in BTP-Instances and Subscription->Subscription->Roles but it is not showing up on API Portal Product configuration->Discovery. Please advise us.

       

      Regards,

      Senthil