IFS roles vs ION API Access

janne-kindgren

We've not been able to get a response from Infor from the proper support channels nor documentation, so I'm asking here if anyone knows anything about this.

In on-prem and single tenant (possibly MT as well?) - where is the link between the roles needed on an IFS user and the ability to run APIs via ION API Gateway?

Scenario is for a Backend service, where a service user is connected to the authorized application.

In one environment (Infor ST) we've tested, there is one specific role ("MingleEnterprise"), that needs to be added to the service user. Without that role, we get "Illegal impersonation attempt" error calling the endpoint /IONSERVICES/oneviewapi/data/ping.

For the same customer, in their production environment, this role is NOT needed to run ION APIs.

In a third environment, on-prem, no IFS role is needed to run ION APIs.

So... where can I configure this?

And is it possible to control what ION APIs can be accessed? Because it seems in some environments a service user can access all APIs without IFS roles, which is a security risk.

Legacy Contributor

BackEnd Service security is the determined first by the MingleID you connect to the service when you create it, then the Actor connected to the Mingle Identity.  FSM or GHR are presumed here.  If your Backend Service is reading say FSM BusinessClasses, the roles assigned to the Landmark Actor ultimately determine the interface's access to the BusinessClass.  The role you cite, MingleEnterprise should not restrict your back send service request, but that role would not work if you are expecting to be issued an oauth2 token.  Anyone can construct an ION API call if they understand the REST structure, but they will receive an HTTP 403 if they try to access a BusinessClass they are not authorized to use