Maximo Open Forum

 View Only

  • 1.  MAXIMO OSLC JSON Rest API - Security

    Posted 10-07-2022 19:51
    Hello,

    Can someone please explain or share some documentation on how the "security model" works with OSLC JSON Rest API? 

    We presently have a user that is placed in the "maxadmin" group (that have almost all the privileges). We created the APIKeys of that user and we are using those API keys for HTTP Get/Post requests for exchanging the data with other external applications. We were wondering to use another user  (from a different security group) that may have only "limited privileges". However, today I was surprised to see the following:

    1) We created a group that has "least privileges" (it does not have even read privilege for wotrack, asset etc.)
    2) We created a user that belongs to 1)
    3) We created the APIKeys for 2)
    4) Now we wanted to test the HTTP Get/Post using that the APIKeys generated in 3) to see whether the security model will restrict us or not.

    We were surprised to see that we were able to retrieve the data from almost all the object structures; we were infact able to perform HTTP Post to insert/update the rows in the underlying MBOs using those APIKeys. 

    How do we  control the access privs for this above? 

    We are also executing the automation scripts via HTTP Post using OSLC JSON Rest API. How do we control that as well?
    #Integrations

    ------------------------------
    Pankaj Bhide
    Berkeley National Laboratory
    ------------------------------


  • 2.  RE: MAXIMO OSLC JSON Rest API - Security

    Posted 10-10-2022 08:43
    The security model for the JSON API works through Object Structures. To fully control what can be accessed through the API, you should enable the "mxe.int.enableosauth" System Property. This will force all Object Structures to have application security configured prior to use. If an Object Structure does not have an Authorization Name, it will not be able to be accessed when that property is enabled.

    From there, you would go to the Security Groups application and grant Read, Insert, Save, and/or Delete access to given Object Structures for various groups. Data restriction conditions can be applied to individual Object Structures to limit the data that can be seen or interacted with.

    Hope this helps,
    Alex

    ------------------------------
    Alex Walter
    A3J Group, LLC
    ------------------------------

    Original Message


  • 3.  RE: MAXIMO OSLC JSON Rest API - Security

    Posted 10-10-2022 10:02
    I had responded on the IBM community (https://community.ibm.com/community/user/asset-facilities/discussion/oslc-json-rest-api-security) but wanted to document it here as well in case the IBM community becomes unavailable or someone doesn't have access to it. Especially since the script security piece isn't documented yet, though I plan to update the documentation we have on it in the automation script wiki (https://ibm-maximo-dev.github.io/maximo-autoscript-documentation/rest/scripthandler).

    For object structures, long term you should look at enabling the system property mxe.int.enableosauth. This was disabled by default in upgraded environments and enabled by default in new instances, but I believe we're looking to enable it by default in all environments. Before you can enable this though, you need to go through and identify all object structures that you utilize and ensure that they have security configured in the Object Structures application. For example, MXASSET out of the box has no security configured (Authorization name is empty) which means that any authenticated user can utilize the object structure. 

    Utilizing the "Configure Object Structure Security" action, you can either tie the authorization name to an application (such as ASSET) or you can configure unique permissions for that object structure (which is what I would recommend). To configure unique security permissions for the object structure, check the "Use Object Structure for Authorization Name" checkbox in the dialog.


    If you enable the system property before configuring this on each of the object structures, those object structures will not be usable. This includes all integration methods (file, table, SOAP, REST, etc.) for all users (including MAXADMIN/MXINTADM). That's why it's very important you identify each object structure currently being used and ensure this is configured. This could impact third party mobility products as well. 

    If the automation scripts are actions on the object structure, you can secure them by tying an option name to the action. 

    If you're calling scripts using the script handler (/maximo/oslc/script or /maximo/api/script) then it's not well documented but there are ways to secure it. The first is you can tie an application & option to the script route handler (using the Add/Modify API Routes dialog in the Object Structures application). This blocks any user from calling a script that doesn't have the permission defined. Most users don't need to call automation scripts via the REST API so this alone may be sufficient.

    If you need more granular permission control (IE you can run script A but not script B), on the scripts you can add two variables (authapp & authsigoption). This will check these permissions for this specific automation script. If you don't have these variables, any user can use them. 



    ------------------------------
    Steven Shull
    IBM
    ------------------------------

    Original Message


  • 4.  RE: MAXIMO OSLC JSON Rest API - Security

    Posted 10-11-2022 12:49
    Just a FYI, I updated our documentation on https://ibm-maximo-dev.github.io/maximo-autoscript-documentation/rest/scripthandler to incorporate how to secure the script handler via the REST API.

    ------------------------------
    Steven Shull
    IBM
    ------------------------------

    Original Message


Related Content