Can we use "REST API access policies" to restrict all API calls by default, then craft specific exceptions?

mholmes · ‎07-28-2021

I've recently learned about the new "REST API Access policy" feature.

This, in conjunction with its prerequisite, Adaptive Authentication, is supposed to allow a greater degree of control over which users can access the platform from which IP addresses.

I've been experimenting with this in my personal developer instance.

I have been able to successfully design a rule like: "By default, users can only log in interactively from a specific IP range, unless they have a special role that allows them to log in from a different IP range."

I want to design a rule like: "By default, users can only make API calls from a specific IP range, unless they have a special role that allows them to make specific API calls from a different IP range."

This seems like a reasonable thing to do, but...as far as I can tell, the only way to do this would be to craft a REST API Access Policy [sys_api_access_policy] for every possible permutation of API, Resource, HTTP Method, and version.

This strikes me as extremely impractical (especially since new APIs may be created over time), so I am assuming that I'm wrong and that there is another way to do this.

Has anyone had any experience using these policies to restrict API access by default and then craft specific exceptions? Or have any other tips to share regarding this functionality?

Daniel Draes · ‎08-16-2021

Hi @mholmes

you are correct that as of this date/release you will need to craft one policy per API permutation. Not practical but the way this feature is currently working. I had a customer on the phone some time back asking exactly the same question.

I believe this idea here could be what you are looking for, feel encouraged to upvote it 😄

Creating one REST API Access Policy to control all REST APIs

View solution in original post

Randheer Singh · ‎02-17-2023

Hi @James Fricker
I am glad that you asked.
Access policy support for SOAP, JSONv2, RSS, and export processors is also coming as part of the Utah release.

Thanks,

Randheer

Randheer Singh · ‎03-21-2023

Hi @James Fricker ,
The ability to specify API access policy for SOAP, JSONv2, RSS and export processors is coming as part of the Utah release.

Thanks,

Randheer

Kalyani10 · ‎03-24-2023

We have implemented IP address restrictions for users accessing the instance using "IP Address Access Control". This is working well and restricting users who does not fall under the IP range.

However this is enforcing restrictions on REST and SOAP inbound integrations as well. How to enforce IP address restrictions only to access the instance and not impact any API integrations such as REST and SOAP.

Randheer Singh · ‎03-27-2023

IP Address access control / Adaptive Authentication pre-authentication context policy gets applied to each incoming transaction.(i.e. APIs, user interactive sessions, processors, etc). If you need different controls for UI sessions and APIs, you can consider using the post-authentication context policy for UI sessions and API access policy for APIs.

You can learn more about Adaptive authentication from this learning course.