My Products
Help

API User Role Security

by Gert-Jan van der Kamp (Updated ‎14-04-2023 19:51 by Gert-Jan van der Kamp )

We connect to Visma through the API using a Native app with PKCE, after giving users the API User role. 

 

Users seem to have full rights then however, when a test account has limited rights, it is able to make any call without any security applied..

 

Is it possible to enforce the security for api calls, so users are only allowed to see and change things through the API they have access to through the web app too? 

 

 

5 REPLIES 5
Yıldırım
VISMA

by Yıldırım (Updated ‎17-04-2023 11:09 by Yıldırım VISMA )

Hello, regardless of the application type there are scopes applied per company/application that user can select while adding the integration via AppStore. 

e.g.

_48_25-Visma App Store.jpg

 

These allowed scopes can be used while generating the token so that Application / transactions will be limited on that company accordingly. 

 

Is this what you've been looking for ? Otherwise, please elaborate. 

Thanks. 

by Gert-Jan van der Kamp (Updated ‎19-04-2023 06:58 by Gert-Jan van der Kamp )

Hi Yildirim, 

 

What I'm looking for is that when users login with a Native app, they're only allowed to perform action they have the roles for in Admin. The API User role seems to side-step the security layer completely, allowing a user to perform any action. 

 

GJ

Yıldırım
VISMA

Hi Gert, 

 

In my test, Just having an API User Role didn't allow that user to have full access to the Financials UI, however adding financials administrator & financials user roles allow the user to do additional processes. 

 

Hi Yildirim, 

 

What I mean is that a user with some simple role plus API User is able to call any API. So granting API User allows a user to see everything in the system. Ideally we'd allow users to only perform actions within their roles (but then through the API).

 

GJ

Yıldırım
VISMA

Hi Gert, I'll investigate this in detail and get back to you.