Re: API User Role Security

Gert-Jan van der Kamp · ‎14-04-2023

We connect to Visma through the API using a Native app with PKCE, after giving users the API User role.

Users seem to have full rights then however, when a test account has limited rights, it is able to make any call without any security applied..

Is it possible to enforce the security for api calls, so users are only allowed to see and change things through the API they have access to through the web app too?

Yıldırım · ‎17-04-2023

Hello, regardless of the application type there are scopes applied per company/application that user can select while adding the integration via AppStore.

e.g.

These allowed scopes can be used while generating the token so that Application / transactions will be limited on that company accordingly.

Is this what you've been looking for ? Otherwise, please elaborate.

Thanks.

Gert-Jan van der Kamp · ‎19-04-2023

Hi Yildirim,

What I'm looking for is that when users login with a Native app, they're only allowed to perform action they have the roles for in Admin. The API User role seems to side-step the security layer completely, allowing a user to perform any action.

GJ

Yıldırım · ‎19-04-2023

Hi Gert,

In my test, Just having an API User Role didn't allow that user to have full access to the Financials UI, however adding financials administrator & financials user roles allow the user to do additional processes.

Gert-Jan van der Kamp · ‎19-04-2023

Hi Yildirim,

What I mean is that a user with some simple role plus API User is able to call any API. So granting API User allows a user to see everything in the system. Ideally we'd allow users to only perform actions within their roles (but then through the API).

GJ

Yıldırım · ‎20-04-2023

Hi Gert, I'll investigate this in detail and get back to you.

API User Role Security

Useful pages

About Visma

Contact us

Follow us