Our administrator gave developers permission for data masking on organization level and on api level. However I still get 403 forbidden on the api level masking configuration. The organization level configuration is working.
I checked the permission reference sheet
https://docs.apigee.com/api-platform/system-administration/permissions#data-masks
It has the path
/applications/*/maskconfigs
It seems different from the API provided in the documentation
https://docs.apigee.com/api-platform/security/data-masking
which has the path
https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs
Solved! Go to Solution.
Firstly, the term `applications` in the resource permissions applies to `apis` in the Edge API URL, that's a historical artifact.
Secondly, there appears to be an issue with `maskconfigs` and custom roles at the API Proxy level.
I created a custom role `AllowMaskconfig` and set the following permissions which did not work.
{ "resourcePermission": [ { "path": "/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }, { "path": "/applications/features-v1/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/applications/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] } ] }
Then, I tried this, which did work.
{ "resourcePermission": [ { "path": "/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }, { "path": "/*/features-v1/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/*/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] } ] }
If you assign this role to a user in the built-in `User` role, that user will now be able to create maskconfigs at the proxy level just for the `features-v1` proxy. And if you change that path element to `*`, they can create maskconfigs for all proxies.
You can prevent access using a `DisallowMaskconfig` role with these permissions.
{ "resourcePermission": [ { "path": "/maskconfigs", "permissions": [] }, { "path": "/maskconfigs/*", "permissions": [] }, { "path": "/*/*/maskconfigs", "permissions": [] }, { "path": "/*/*/maskconfigs/*", "permissions": [] } ] }
Always fun playing with custom roles!
Show the exact permissions you have on the role, please?
I'm one of the Developers. I'm not the admin. Is there a way to get my permissions? Anyway what he has given me is data-masks permissions for both organizational level and api level.
I contacted him and he just said that he has given me access to everything related to data masks. Could this be a bug? knowing that permission reference has a different API than what is actually needed?
Firstly, the term `applications` in the resource permissions applies to `apis` in the Edge API URL, that's a historical artifact.
Secondly, there appears to be an issue with `maskconfigs` and custom roles at the API Proxy level.
I created a custom role `AllowMaskconfig` and set the following permissions which did not work.
{ "resourcePermission": [ { "path": "/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }, { "path": "/applications/features-v1/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/applications/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] } ] }
Then, I tried this, which did work.
{ "resourcePermission": [ { "path": "/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }, { "path": "/*/features-v1/maskconfigs", "permissions": [ "get", "put" ] }, { "path": "/*/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] } ] }
If you assign this role to a user in the built-in `User` role, that user will now be able to create maskconfigs at the proxy level just for the `features-v1` proxy. And if you change that path element to `*`, they can create maskconfigs for all proxies.
You can prevent access using a `DisallowMaskconfig` role with these permissions.
{ "resourcePermission": [ { "path": "/maskconfigs", "permissions": [] }, { "path": "/maskconfigs/*", "permissions": [] }, { "path": "/*/*/maskconfigs", "permissions": [] }, { "path": "/*/*/maskconfigs/*", "permissions": [] } ] }
Always fun playing with custom roles!
Thank you. I guess apigee team need to change that documentation since it is misleading. when /apis/*/maskconfigs were given as a permission it worked. /applications didn't although it said in the documentation that this is what needs to be given to get access for mask configs.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |