API identities

The API roles are linked to API identities. An API identity represents the invoker, which is the consumer of the API. An API identity must be linked to a single LN user. This LN user can be an IFS or a non-IFS user.

Example

Your organization uses 20 machines that send requests to LN.

You use an authorized app and you have downloaded the credentials for one service account user. In the Download Credentials dialog box you have left the Full name field blank. Therefore, the service account user is svc_ln. This is a standard service account user that is delivered with LN. The 20 machines are programmed to use the credentials of this user.

In LN, you have created:

An API identity, api_ln_svc_ln, that is linked to the LN user of the service account (svc_ln).
An API role, API_SVC_ROLE, that is linked to the API identity of the service account user. In this API role, you have specified the authorizations for the lnapi resources.

When the machines send their requests to LN, the credentials of the service account user are used. The authorizations of the API role that is linked to the API identity of the service user are applied:

If a request invokes a method that is granted in the API role, the request is processed.
If a request invokes a method that is not granted in the API role, the request is rejected. A “403” error is returned.

All requests sent by the machines are logged as being sent by the LN user of the service user (svc_ln).