Introduction to Endpoint Permissions
The API employs a permissions model designed to regulate access to its endpoints based on user roles and their associated permissions. This model ensures that users can only access and modify data that is appropriate for their role within the organization.
Permission Levels
The permissions model categorizes access into three distinct levels:
| Permission | Description |
|---|---|
| Full Access | Users with full access can perform all actions associated with an endpoint, including creating, reading, updating, and deleting data. |
| Read Only | Users with read-only access can view data but are restricted from making any changes or performing any actions that would modify the data. |
| No Access | Users with no access are completely restricted from interacting with the endpoint and cannot view or modify data. |
How Permissions Are Applied
Permissions are applied based on the following criteria:
| Criteria | Description |
|---|---|
| User Access Groups | Each user is assigned to one user access group. The group define the permissions for various API endpoints. The permissions in the group dictate what actions a user can perform on the data. |
| Transaction Types | Certain API endpoints are tied to specific transaction types. The transaction type helps determine whether a user needs full access or can be restricted to read-only access. |
| Access Level Specification | For each endpoint, the required access level (Full Access, Read Only, or No Access) is clearly specified, ensuring that users can interact with the endpoint according to their role. Detailed information about each endpoint can be found on its respective page. |
403 Forbidden Error
If a user attempts to access an endpoint without the necessary permissions, the API will return a 403 Forbidden error.
User Access Group
User access groups are central to the permissions model. These groups are defined by the organization’s administrators and are used to control which endpoints users can access and what actions they can perform. The access groups typically align with job roles, ensuring that users have the necessary permissions to perform their duties while preventing unauthorized access to sensitive data.
Endpoint Permissions Documentation
Each API endpoint documentation includes a detailed "Permissions" section. This section specifies:
- Required Transaction Type: The specific permission required to access the endpoint.
- Access Levels: The actions that users can perform based on their access level (Full Access, Read Only, or No Access).
This documentation helps developers and administrators understand the access control mechanisms in place and ensures that the API is used securely and effectively.