Changing the user visibility of selected REST APIs

Configure the rest.api.visibility parameter to change the User Visibility property of four Verify Governance REST APIs.

Before you begin

The parameter is in the config.properties custom file of the virtual appliance. This file can be accessed only by a virtual appliance administrator in the Custom File Management pane.

About this task

The rest.api.visibility parameter acts on the visibility of the following APIs:
Category Resource API Endpoint
Access Governance Core (AGC) API methods Users - Accounts Change Password /igi/v2/agc/users/accounts/{account_id}/password
Find User Account /igi/v2/agc/users/{user-id}/accounts/.search
Account Configurations Get Password Policy /igi/v2/agc/accountcfg/password/policy
Access Request Management (ARM) API methods Requests Find Request Detail /igi/v2/arm/requests/{request_id}
The values for rest.api.visibility can be one of the following:
True
The visibility (action) of the APIs is limited to the targeted objects that are owned by the specified end user.

Only an administrator (admin user) has the complete visibility of the targeted objects of all users.

This is the default value.

False
The complete visibility of the targeted objects of all users is available to the administrator as well as to the end user who uses the API.

Fresh product installations and upgrades come with rest.api.visibility set to True.

If for legacy or other reasons, you decide that you want the value changed to False, your virtual appliance administrator must follow the steps that are described next to change the value from True to False.
Important: To be able to use the IBM Security Verify Request mobile app, or to integrate with the ServiceNow platform, the rest.api.visibility parameter must be set to false.

If you upgrade from an older version, the parameter is not listed in the config.properties file, although the functionality for True is in the product. If you want it changed, the virtual appliance administrator must manually add the parameter in the config.properties custom file and set it to False.

Note that setting the parameter to False might cause undesired security problems when the APIs are used.

Note also that if rest.api.visibility is set to no value, or to a value that is not True or False, it nonetheless defaults to True.

Procedure

  1. In the virtual appliance, go to > Configure > Manage Server Setting > Custom File Management.
    The Custom File Management pane is displayed.
  2. In the All Files tab, select, do not unfold, the properties folder.
    A list of files is displayed on the right.
  3. Scroll down the list until you find file config.properties. Select the file and select Download.
  4. Download the file to your computer and open it with an editor.
  5. Scroll down to the end of the file.
    If the product was freshly installed, you see the following lines:
    # REST APIs visibilities configuration
#
# This parameter sets the visibility of the resources of the system for an end user.
# The visibility for an admin user remains unchanged.
# Set to true to have the visibility on the following REST APIs:
#
# 1) POST [.../igi/v2/agc/users/{user_id}/accounts/.search] :
#	 - If this parameter is set to true an end user can find only information about owned accounts.
#	 - If this parameter is set to false an end user can find information about all the accounts of the system.
# 2) GET [.../igi/v2/arm/requests/{request_id}] :
#	 - If this parameter is set to true an end user can find detail only for the requests of which is applicant.
#	 - If this parameter is set to false an end user can find detail about all the requests of the system.
# 3) POST [.../igi/v2/agc/users/accounts/{account_id}/password] :
#	 - If this parameter is set to true an end user can change password only for owned accounts.
#	 Further, to avoid password enumeration the account is blocked based on password management
#	 "Maximum number of password retries" field.
#	 - If this parameter is set to false an end user can change password for any accounts, there is not control if the caller is the owner of the account.
# 4) GET [.../igi/v2/agc/accountcfg/password/policy] :
#	 - If this parameter is set to true an end user can find information only for the password policies related to account configuration of owned accounts.
#	 - If this parameter is set to false an end user can find information about all the password policies of the system.
#
rest.api.visibility=true

    If you upgraded the product, none of these lines are shown, but the product functionality is with rest.api.visibility=true defined.

  6. To change the visibility value to False
    • If the parameter is listed, just change the value from True to False.
    • If the parameter is not listed, type rest.api.visibility=false in the last line of config.properties.
  7. After you are done editing config.properties, select Upload in the Custom File Management right pane to upload it to the virtual appliance.
  8. After the file is uploaded, restart the IBM® Security Verify Governance server in the virtual appliance dashboard to apply your change.