Enable Publisher Access Control¶
The APIs created in the API Publisher are visible to any user who signs in to the API Publisher, by default. However, WSO2 API Manager allows API creators to restrict the visibility of their APIs within the API Publisher if required. API creators can set the Publisher Access control option to restrict API view and modify actions to a set of users, based on their roles. You can enable Publisher Access Control in API Publisher using one of the following methods:
Using the API Publisher¶
-
Sign in to API Publisher as an API Creator.
For more information on User Roles, see Managing Users and Roles.
-
Go to Portal Configurations from the left menu and click Basic Info.
-
Select Restricted by roles as the value for Publisher Access Control.
-
Add the roles that have permission to view or modify this API.
Note
Please note that the roles that are added under 'Publisher Access Control' will be case-insensitive. Hence the roles you add here will be saved in lower-case by default. To add the case-insensitive role validation for publisher access control, add the following system property in
<APIM_HOME>/bin/api-manager.sh
file :-DcaseSensitiveRoleValidation=true \
-
Save the API.
Info
Ensure that the roles you add are valid. If the current creator is not an APIM admin, there should be at least one role of the current creator.
Note
Users with API-M Admin permission or admin role are treated differently. Even if an API is restricted to a certain set of publishers, it will be visible to all the API creators and publishers with API-M Admin permission or admin role.
Using the REST API¶
Use the existing REST API to add an API. Make sure to add the following two elements in your request body to create an API with publisher access control restriction.
Note that the roles must be valid. If the API creator is not an API-M admin they should at least have one of their roles in the accessControlRoles
field.
Tip
The publisher role cache is enabled by default in API Manager. This is to avoid sending repeated requests to the Key Manager node in a distributed deployment, to authenticate user roles.
In order to disable this cache, add the following to the <API-M_HOME>/repository/conf/deployment.toml
file.
Note that if this is disabled, it results in lowering performance due to repeatedly accessing the Key Manager. Therefore, WSO2 recommends that you keep it enabled.