how to control rest API post/patch access?

Go to solution
Community Alums
Not applicable

‎08-19-2023 05:42 AM

Hi Experts,
I have a requirement to not allow user to insert/modify a particular field with rest API (not script Rest API, just table API) directly( means, via put, patch, post), but still allow read access, also allow the user's other action via rest API to trigger business rule to update/insert this particular field.(some kind of rea only access via rest API)

I could not figure out how to implement this, Does any one implement somethin similar or has any suggestions?

Is it possible?

 

Thanks lot!

Jerry

0 Helpfuls
  • 1,295 Views
1 ACCEPTED SOLUTION

Go to solution
Maik Skoddow
Tera Patron
Tera Patron
In response to Community Alums

‎08-19-2023 09:03 PM

Hi @Community Alums 

Again: The table API is following the existing ACLs. If you don't want a certain user to update a field, implement a field level ACL to restrict this.

Maik

View solution in original post

8 REPLIES 8

Go to solution
Maik Skoddow
Tera Patron
Tera Patron

‎08-19-2023 08:35 AM

Hi @Community Alums 

sorry, it is not clear what your requirement is. Which users are you referring to? A normal user? If so, why should that user use the table API and cannot work in the UI. Also the table API is following the existing ACLs. So, if a user cannot create/modify records in the UI then that user is also not allowed to do the same via table API.

Maik

Go to solution
Community Alums
Not applicable
In response to Maik Skoddow

‎08-19-2023 01:34 PM

Hi Maik,

That is right, the user could not use the UI (form, list view or portal)

1)since it is used by third party via the table API (not via scripted REST API) to integrate with our system

2)they need some time process many records via their Python program in which they use  REST API.

However, we don't want them to directly insert/update this field, yet still want to allow them other action, say, they modified other field value via their API that fire our business rule to update this particular field.

 

Thanks!

Jerry

 

0 Helpfuls

Go to solution
Maik Skoddow
Tera Patron
Tera Patron
In response to Community Alums

‎08-19-2023 09:03 PM

Hi @Community Alums 

Again: The table API is following the existing ACLs. If you don't want a certain user to update a field, implement a field level ACL to restrict this.

Maik

Go to solution
Community Alums
Not applicable
In response to Maik Skoddow

‎08-20-2023 04:07 PM

Hi Maik,

Field ACL may not work. If the user is not allowed to write on , say, this field A by ACL, do you think the user would be able to modify other field B which fires a business rule to update this field A? If so, that is a solution for us, if no, it does not work for us.

 

Thanks!

Jerry

0 Helpfuls