Route data authorizations

Route data authorizations can be used to restrict access to sensitive data. If no route data authorizations are defined, API consumers can retrieve all data of the routes for which they are authorized. In some situations, this is not desirable. Data access can be limited to specific consumers, for example, through segregation of duty.

Sensitive data should only be accessible to certain designated consumers, and not to all consumers. For example, in Aerospace & Defense, LN projects can contain civil and military data. Some consumers should only be able to retrieve civil project data, not military project data.

Data authorization rules can only be defined on the main collections in an API. These rules cannot be defined for the route of the API itself, nor for routes under the main collections in an API.

Example

Data authorization rules can be defined for:

  • /lnapi/odata/tdapi.purPurchaseOrder/Orders
  • /lnapi/odata/tdapi.purPurchaseOrder/Lines

Data authorization rules cannot be defined for:

  • /lnapi/odata/tdapi.purPurchaseOrder
  • /lnapi/odata/tdapi.purPurchaseOrder/Orders(PurchaseOrder='{PurchaseOrder}')
  • /lnapi/odata/tdapi.purPurchaseOrder/Orders(PurchaseOrder='{PurchaseOrder}')/AcknowledgmentRef

For each main collection in an API, you can define route data authorizations that apply to all companies and methods. You can also define different authorizations per company and per method.

You can specify the condition text for a data authorization rule in the Text Editor.

For syntax examples of the conditions, see the online help of the Route Data Authorizations by Role tab in the Route Tree Authorizations by Role (ttmtm6675m000) session.

Example

You specify this route data authorization:

For the endpoint /lnapi/odata/tdapi.purPurchaseOrder/Orders, you specify the condition (OrderAmount<10000.00) for all methods and companies.

As a result, when you send a “Get entities from Orders” request, the response data of the API only shows purchase orders with an order amount less than 10000.00.

When you send a “Get entity from Orders by key” request, the result depends on the order number you specify in the API request. For example:

  • Order 101000008 has an order amount of 9800.00. If you send a “Get entity from Orders by key” request for this order, a status code 200 (Success) and the order data of order 101000008 are displayed.
  • Order 101000009 has an order amount of 11000.00. If you send a “Get entity from Orders by key” request for this order, error code 404 and this error message are displayed: "Record ['101000009'] cannot be read from table Purchase Orders in company 3001."