Relation between AMS authorization and API authorization

In LN, incoming API requests are handled by so-called worker bshells. These worker bshells always use the LN user svc_ln. This is regardless of the specified LNIdentity and associated LN user.

Therefore, all REST-based API requests sent to LN are handled by LN user svc_ln.

Example 1

Multiple warehousing employees use handheld scanning devices. Each device contains the IFS credentials of its owner.

In the 3GL logging and LN apps history, all requests sent to LN through a handheld device are logged as sent by the LN user account of the device's owner. Consequently, traceability and accountability can be performed for the different devices/owners.

However, the worker bshells that process the requests are executed by LN user svc_ln. Therefore:

  • The bshell logging generated by the API requests only shows information for user svc_ln, not for the IFS user.
  • When executing the requests, the AMS authorizations of LN user svc_ln apply. The AMS authorizations of the IFS user are ignored.

Example 2

Your organization uses 20 machines that send requests to LN.

Each machine contains the credentials of the svc_ln service account. The X-Infor-LnIdentity headers of all requests sent by a particular machine contain the unique LN identity of that machine.

In the 3GL logging and LN apps history, all requests sent by a particular machine are logged as being sent by the corresponding LN user of that machine. Therefore, traceability and accountability can be performed for the different machines.

However, the worker bshells that process the requests, are executed by LN user svc_ln. Therefore:

  • The bshell logging generated via the API requests only shows information for user svc_ln, not for the LN users of the machines.
  • When executing the requests, the AMS authorizations of LN user svc_ln apply. The AMS authorizations of the LN users of the machines are ignored.

Important recommendations

Do not define an AMS role for svc_ln

All API requests sent to LN are processed by LN user svc_ln. Therefore, we strongly advise against assigning any AMS roles to user svc_ln as doing so could unintentionally restrict access to libraries or enforce data authorization.

If you define an AMS role for svc_ln, any library or data restrictions defined in that AMS role apply to all API requests sent by all invokers, regardless of the provided LnIdentity and associated LN user.

Use the API authorization mechanism
To use data authorization for REST API requests, you must use the LN REST API Authorization mechanism. This means that you must perform these tasks:
  • Define API identities for the different invokers.
  • Create multiple API roles. In an API role, you can define route authorizations and data authorizations.
  • Assign the relevant API roles to the relevant API identities.

For details, see API authorizations.