Advanced features

Optionally, you can enable API Authorization for REST API. This is done through an AMS parameter. This requires the definition of a so-called LN API Identity. Each LN identity uniquely identifies a consumer (invoker) of the API, not the authenticated user (such as the service account that is shared among different invokers). Each LN identity (API identity) is linked to a single LN user.

Example

If multiple machines send requests through the same service account, it can be useful to define different LN identities for these machines. Each machine can add its own LN identity to the requests it sends through the service account. Therefore, traceability and accountability can be performed for the different machines. To support this scenario, the service account must be authorized to switch its identity to the identities of the different machines.

REST API authorizations for the API resources and the corresponding methods can be defined in API Roles. The authorizations can be configured for each path segment of the service path (URL) of a resource, and can be specified per company or for all companies.

The API roles are linked to API identities.

This REST API authorization model is completely isolated from the (human user-oriented) Authorization Management System (AMS).

For details, see these chapters: