REST API authorization for user, group, and team actions

Edit online

Two authorization modes are provided for the REST APIs granting access to user, group, and team information. A default mode provides limited authorization control while an enhanced mode is available to extend authorization control to all concerned APIs.

To enable the enhanced mode, add the following configuration property to the 100Custom.xml file in your topology:

<server>
      <portal merge="mergeChildren">
            <authorization-enabled-for-org-info>true</authorization-enabled-for-org-info>
      </portal>
</server>

For more information about roles, see Authorization roles. For more information about action policies, see Configuration properties for action policies.

Table 1. Authorization behavior when enhanced authorization control is enabled
User/group/team action	Enabled for authorization roles and action policies	Other preconditions
View user information `/user/<userIdOrName>`	IBM® Business Automation Workflow (BPM) administrator (member of the bpmAdminGroup) for all users A user invoking the API for viewing the user's own data A user who is authorized by the `ACTION_REFRESH_USER` policy and the `ACTION_MANAGE_ANY_USERATTRIBUTE` policy
Refresh user information `/user/<userIdOrName>?refreshUser=true`	Business Automation Workflow administrator (member of the bpmAdminGroup) for all users A user who is authorized by the `ACTION_REFRESH_USER` policy
Update user attributes `/user/{userNameOrID}?action=setPreference`	Business Automation Workflow administrator (member of the bpmAdminGroup) for all users A user who is authorized by the `ACTION_MANAGE_ANY_USERATTRIBUTE` policy	Users calling the API can update self-manageable attributes Business Automation Workflow administrators can update any attribute Policy-enabled users can update any attribute
View user information `/users`	Business Automation Workflow administrator (member of the bpmAdminGroup) for all users
View potential collaborators for a claimed task `/users?collabTaskidFilter=`	Business Automation Workflow administrator (member of the bpmAdminGroup) A user who is authorized to invite others to collaborate on a task: Task owner	Task must be claimed. Collaboration is enabled. Task involves at least one potential collaborator: Task expert Another potential owner
View potential reassignees for a received or claimed task `/users?assignTaskidFilter=`	Business Automation Workflow administrator (member of the bpmAdminGroup) A user who is authorized to reassign the task to another user, such as Task owner, if authorized by `ACTION_REASSIGN_TASK_USER_ROLE` policy Task team manager Instance owner	Task must be received or claimed.
View group information `/group/<groupIdOrName>`	Business Automation Workflow administrator (member of the bpmAdminGroup) Team managers (if the specified group corresponds to a team)
Change group membership `/group/<groupIdOrName>?action=addMember` `/group/<groupIdOrName>?action=removeMember`	Business Automation Workflow administrator (member of the bpmAdminGroup)
View groups information `/groups`	Business Automation Workflow administrator (member of the bpmAdminGroup)
View team information `/team/<teamIdOrName>`	Business Automation Workflow administrator (member of the bpmAdminGroup) Team manager
View participant group information `/participantGroup/<pgIdOrName>`	Business Automation Workflow administrator (member of the bpmAdminGroup)

Table 2. Authorization restrictions when enhanced control is not enabled by configuration
User/group/team action	Enabled for roles and action policies	Other preconditions
View user information `/user/<userIdOrName>` `/users`	Any authenticated user	Users can view their own information including all attributes Users can view the public attributes of other users Users who are enabled by `ACTION_MANAGE_ANY_USERATTRIBUTE` can view all the attributes of another user
Refresh user information `/user/<userIdOrName>?refreshUser=true`	A user who is authorized by the `ACTION_REFRESH_USER` policy
Update user attributes `/user/{userNameOrID}?action=setPreference`	A user who is authorized by the `ACTION_MANAGE_ANY_USERATTRIBUTE` policy	Users calling the API can update self-manageable attributes Policy-enabled users can update any attribute
View potential collaborators for a task `/users?collabTaskidFilter=`	Business Automation Workflow administrator (member of the bpmAdminGroup) Process application administrator A user who is authorized to view the task (assigned to another user): Task owner Task team manager Task collaborator Instance owner
View potential reassignees for a task `/users?assignTaskidFilter=`	Business Automation Workflow administrator (member of the bpmAdminGroup) Process application administrator A user who is authorized to view the task (assigned to another user): Task owner Task team manager Task collaborator Instance owner
View group information `/group/<groupIdOrName>`	Business Automation Workflow administrator (member of the bpmAdminGroup) Team managers (if the specified group corresponds to a team)
Change group membership `/group/<groupIdOrName>?action=addMember` `/group/<groupIdOrName>?action=removeMember`	Business Automation Workflow administrator (member of the bpmAdminGroup)

There are no default restrictions for the group and team-related APIs.