Introduction to WSO2 API Manager
APIs are an important aspect of the digital transformation journey. Hence, being able to manage the APIs efficiently is a key for a better API management strategy.
WSO2 API Manager is an all-in-one API management platform which manages the full API lifecycle while providing sophisticated features for better API governance. Hence, API developers, API managers/publishers, API consumers, would regularly interact with API managers to perform various operations.
To perform these tasks more conveniently, WSO2 API Manager provides a set of advanced portals. Out of the available portals, this blog topic covers two portals; publisher portal and developer portal which are related to the API visibility.
The publisher portal is where the API developer, publisher, manager would interact with. This portal is used to design and develop the APIs. The API developers would design the API resources, payloads, response codes etc. API administrators/publishers will enforce the API management policies for the APIs such as security, properties, throttling policies, mediation policies, manage API lifecycle etc. Then the API publisher will be able to publish the API to the intended API environments (gateways and developer portals).
API developer portal is where the published APIs are available for the consumers. The API consumers explore the APIs to get an overview of how the API works, API documentation, API security information, token management and policy information etc.
Understanding API Visibility
By default, anyone who has access to these portals can view all the APIs that are available in the portals. This can be problematic if the portals are being accessed by different teams and everyone has access over all of the APIs.
In the publisher portal, any developer/manager can view and modify any API. This can be an issue if a team alter an API (accidentally) of another team. Further it would lead to security issues as well.
Similarly, in the developer portal, the APIs would be able to be viewed by unauthorized consumers. By default, the APIs are visible to the public. Even without loging in to the portal, the APIs can be viewed. This behavior may not be ideal for confidential APIs. Therefore, it is crucial to restrict API visibility to authorized parties to ensure the appropriate consumers access them.
Publishers Portal Access/Visibillity Control
Publisher visibility is about restricting the API accessibility to specific user groups so that the APIs are viewed, modified and managed by the intended users. Publisher portal visibility provides two visibility options.
- All
o By default, this option is selected. With this option, anyone who has access to the publisher portal will have control over the API(s). - Restricted by role(s)
o If you select this option, then you will be given the option to specify the valid roles. Then the APIs can only be viewed/modified and managed by the users with specified roles.
o One of the roles you enter should belong to the API creator.
o The users with admin permissions or admin role can still view and access the APIs irrespective of the access and visibility control.
Developer Portal API Visibility
Developer portal API visibility is about restricting the viewing/consumption of the APIs for the users. With these options, the API information would not be available to the unintended consumers. Only the allowed users will have the information for the APIs. The developer portal visibility configuration provides following visibility options.
- Public
o This is the default option. By setting the visibility to “public”, the API would be available for anyone who accesses the developer portal. The APIs can be viewed even without logging into the portal. - Restricted by roles
o If you select this option, then you will be given the option to specify the valid roles. Then the API can only be viewed and consumed by the users with specified roles.
o The API creators and publishers can see the APIs in their tenant irrespective of the visibility control in the devportal. - Visible to my domain
o This option is only available in a multi tenant scenario. The APIs would be visible to the users who are registered to the tenant of the API.
Example
The following screenshot shows an example API visibility setting of the “ClientInfoAPI”.
According to the above configuration, the publisher portal API access control is set to “Restrict by role(s)” with the roles the roles “sale-team” and “developer”. The users with “sales-team” or “developer” roles can access the APIs in the publisher portal. Note that the users should have necessary permission to perform the publisher portal tasks (such as API create/publish etc).
Even though this API is restricted by roles, the API would be still visible to the users with admin permissions or admin role in the publisher portal.
The developer control API visibility is set to “Restrict by role(s)” configuration with the roles “sales-team”. Therefore, users with the ‘sales-team’ role will be able to access the API in the developer portal. Furthermore, API creators can access the APIs in the developer portal regardless of the ‘restricted by role’ configuration.
Conclusion
Security and governance are important aspects of API management. API visibility in WSO2 API manager helps users to achieve this aspect conveniently. It provides access/visibility control in publisher portal and developer portal by providing various options. By default, this is set to ‘public’. Therefore, it is important to use this feature to manage the confidential APIs securely.
If you would like to know more about API management strategies and how it can benefit your organization, please get in touch with our experts at Yenlo.
