Access Control
The Adminapp REST API is accessible only to authenticated admin users with the appropriate rights.
The configuration separates authentication of the REST client from functional authorization:
- ●Authentication: see Adminapp >> REST API Configuration >> config group API Access Control
- ●Functional authorization: see Adminapp >> Access Control
Authentication
Authentication of the REST client requires two plugins:
- ●Request Credential Policy: Determines how to extract credentials (e.g. username and password or a ticket) from the REST request.
- ●HTTP Basic Auth header
- ●Cookie with a JWT ticket
- ●OAuth2 Bearer Token
- ●Client certificate
Examples are:
- ●Authenticator: Defines how the credentials are verified (e.g. password check, certificate validation, or JWT verification).
Functional Access Control
The property "Access Control" (a top-level property in the "Adminapp") defines the authorization of an authenticated REST client in the Adminapp REST API.
The default access control plugin "Role-based Access Control" controls access to a large set of actions. Refer to the plugin documentation in the Config Editor for further details.
Service list
Supported services (see ADMIN-REST-API-REFERENCE for technical details) are:
Service | Description | Configuration Path in Config Editor |
User Management | Comprehensive user management services (add, delete, modify, list, search, etc.). Get login statistics, lock/unlock user accounts, set validity range, etc. | Adminapp >> Users |
Password and Authentication Token Management | Management of users' authentication tokens: assign tokens to user, order new tokens, see token details, edit token details, order letters, etc. Define active authentication token for user, edit token migration details, etc. | mainly in Adminapp >> Users >> Authentication Tokens (Credentials) also various properties in Adminapp >> Users |
Generic Token API | Custom REST services for custom authentication tokens or other user-related custom information can be added by configuring a "Generic Token Controller" plugin. | Adminapp >> Users > Authentication Tokens (Credentials): add a Generic Token Controller |
Token Management | Management of tokens independently of users (e.g. manage hardware OTP tokens, view Cronto token licenses). | Adminapp >> Tokens |
Technical Client Management | Manage technical clients (API clients). | Adminapp >> Technical Clients |
Maintenance Messages | Manage maintenance messages (list, add, delete, modify). | Adminapp >> Maintenance Messages |
SMS Service | Send an SMS message and get the delivery status. | Adminapp >> REST API Configuration >> SMS Service Settings |
Tech Client Management | List, Lock/Unlock, Delete technical clients (API clients). Related to PSD2 features (see 12.6.3. STET PSD2 with Airlock components, 12.6.2. NextGenPSD2 (Berlin Group) with Airlock Secure Access Hub) | Adminapp >> Technical Clients |
Attribute level Access Control (input validation)
To access user attributes through the Adminapp REST API interface, every attribute must be configured as a "User Profile Item". This ensures that both GUI and REST API enforce the same access restrictions. To configure "User Profile Items" see 18.13. Admin roles and user groups in Adminapp.