How are permissions determined for the API calls
How are permissions determined for the API calls
OVERVIEW
The permissions are associated with the user who generated the OAuth token. This happens in the second step of the OAuth token generation process when the user generates a code. The user is required to login to Collaborate in order to generate the OAuth code which associates that code to the user. Each API call using the OAuth token generated by the user automatically responds based on users permissions in Collaborate.
Following up on the comment above (from a few years ago), has HighQ considered adding scopes when setting up API application?
Currently, when a token is generated and made available to another application it gives that application full access to the user's HighQ account. But that is rarely what is needed. Often, an application only needs limited access to a user's account. For example, that access might be limited to a specific site or list of sites (for ex, imagine that an API application is created for a Neota Logic app that will be embedded into a single site, so Neota only should have the ability to update that one site), the application only needs read access, or the application should not be given system admin rights if the user for whom the token is created is a system administrator.
In addition, in this type of situation -- https://knowledge.highq.com/help/best-practices-and-more/automatically-login-to-another-application -- the API application may NOT used to give the third-party application access to the user's HighQ account but is used simply to verify the user's identity which the third-party application will use to log the user. For ex, if we want to use HighQ as a hub for logging in users to other applications. In that case no access token should be generated for the third-party application or the token should have a lifetime of 0 seconds.
I'd expect a 401 response.
Peter Simpson Thank you for confirming the site list. What would they get if they called GET All Users?
Shawn Rupert That's spot on... you can only 'see' the information via the API that your use account can in UI, (for want of a better phrase). So If you had a user who had access to 4 sites, their 'GET All Sites' call would return an array of 4 site objects.
If a user is not a system admin and has rights to a specific site in Collaborate then they can only use the API calls to that site including all privileges for that site that they have been given. Is this correct? Would they be able to request a full site list or full user list for example?
Peter Simpson Thank you very much
Alexandru Simandi No you do not, the permission is checked dynamically upon each request. If you add that user into extra sites, you can call with the same token and the access will be there!
In between these 2 calls, I added the user into the site (they both use the same Bearer Token)
Do I need to update the token if the associated user is granted access to another extra site?
Imran Aziz, thanks for the quick reply!
Leo Furze-Waddock HighQ API does not support API scopes at the moment, the access notification dialogue is used to indicate to the user that the client will have access to all the resources they can access via the UI. The elements listed in the Access dialogue are not up to date and we will update them soon.
Does the HighQ API define/support OAuth 2.0 scopes?
Without specifying scopes in the token request the user is asked to authorise the following;
-
Access and post activity
-
View and upload files
-
View and edit your profile
Thank you
Your review has been submitted.
Comments
11 Comments