2.1.7 Grant permission to organizations
It is possible to control as part of the API-Configuration which organizations will have access to the API. This is very handy, when creating a new API and automatically makes it available to a desired set or even ALL organizations without the need to step into the API-Manager. In combination with the Application-Subscription (Learn more) management capability, an API-Developer can configure and immediately test his API, without ever touching the API-Manager UI or REST-API.
To configure organizations, extend the API-Configuration as following:
{
"name": "Minimal API",
"path": "/minimal/api/v1",
"state": "unpublished",
"version": "1.0.0",
"organization": "API Development",
"clientOrganizations":[
"Another org",
"My Partner",
"......",
]
}If you want to grant access to your API to all organizations, configure it like this:
{
"name": "Minimal API",
"path": "/minimal/api/v1",
"state": "unpublished",
"version": "1.0.0",
"organization": "API Development",
"clientOrganizations":[
"ALL"
]
}The handling of configured organizations can be controlled with the parameter: clientOrgsMode which can have one of the following values:
-
ignore:
All of the configured client-organizations are ignored -
replace:
This mode will replace, which means remove, eventually existing additional grants to organizations and replace it completely with the organizations configured in the config-file. -
add:
Existing grants to organizations will stay untouched and only additional organizations configured in the file will be added.
Please note the following:
- if you change it back from ALL to maybe 2 Orgs only, the tool will revoke access to all other organizations
- if new organizations has been added to the API-Manager, since the last API deployment, the tool will realize this delta and grant access to the newly added organizations
Some cases API Administrator wants to grant access to single organization without manipulating api-config.json
Commands to grant permission to an organization based on organization name and API id
apim api grant-access -u apiadmin -p xxxxx -h 10.129.61.129 -orgName "API Development 4172" -id 653aebcf-b4a2-4972-8050-a4e49a95c8c1 -forceCommands to grant permission to an organization based on organization name and API Name
apim api grant-access -u apiadmin -p xxxxx -h 10.129.61.129 -orgName "API Development 4172" -n petstore -forceCommands to grant permission to an organization based on organization id and API id
apim api grant-access -u apiadmin -p xxxxx -h 10.129.61.129 -orgId ed3a381e-0c00-47d1-a296-ff56abcfa07a -id 653aebcf-b4a2-4972-8050-a4e49a95c8c1 -forcePlease note the following:
- User can't grant access to organization which is used to create API
Revoke an API Access for single organization
Commands to revoke permission to an organization based on organization name and API id
apim api revoke-access -u apiadmin -p xxxxx -h 10.129.61.129 -orgName "API Development 4172" -id 653aebcf-b4a2-4972-8050-a4e49a95c8c1 -forceCommands to revoke permission to an organization based on organization name and API Name
apim api revoke-access -u apiadmin -p xxxxx -h 10.129.61.129 -orgName "API Development 4172" -n petstore -forceCommands to revoke permission to an organization based on organization id and API id
apim api revoke-access -u apiadmin -p xxxxx -h 10.129.61.129 -orgId ed3a381e-0c00-47d1-a296-ff56abcfa07a -id 653aebcf-b4a2-4972-8050-a4e49a95c8c1 -forcePlease note the following:
- User can't revoke access to organization which is used to create API