API identities using multiple API roles
You can link multiple API roles to an API identity. If these roles contain route authorizations that contradict each other, the LEAST restrictive route authorization applies. If these roles contain data authorizations that contradict each other, the MOST restrictive data authorization applies.
Example
An API identity is linked to two API roles:
- API role ONE:
- This role grants access to all methods of the
/lnapi/odata/tdapi.purPurchaseOrder/Ordersroute. - This role contains no data authorization. Therefore, the role allows to retrieve all purchase order records.
- This role grants access to all methods of the
- API role TWO:
- This role grants access to all methods of the
/lnapi/odata/tdapi.purPurchaseOrder/Ordersroute, except the DELETE method. - This role contains the following data authorization for the
/lnapi/odata/tdapi.purPurchaseOrder/Ordersroute: (PurchaseOffice="USA")Therefore, the role only allows to retrieve purchase orders of purchase office “USA”.
- This role grants access to all methods of the
The LEAST restrictive route authorization applies. Therefore, the API identity has access
to all methods, including DELETE, of the
/lnapi/odata/tdapi.purPurchaseOrder/Orders route.
The MOST restrictive data authorization applies. Therefore, the API identity can only retrieve purchase orders of purchase office “USA”.