Explore the next level of secure, role-based access control with Sage Active's Public API.
A new era of intuitive application development awaits.
Users management
Role Management and Access to Business in Public API
User Management Unleashed: Sage Active Public API's Role-Based Innovation
The public API must apply the same policies defined in these roles to align with the behavior of the Sage Active application.
Examples
-
Example 1
If a user has only theAccountant
role, they cannot access features in Sage Active other than those related to accounting.
Similarly, the public API will restrict access for this user to accounting data only. -
Example 2
If a user has only aread-only
role, then the public API should not authorize mutations that allow creating, modifying, or deleting data. -
Example 3 If a user has the right to view businesses A and B but not C, then the public API will only allow access to organizations A and B, but not C.
Error Management
If a query or mutation request is denied due to unauthorized rights, the API will return a message in the form:
Here, for example, if the user has only an Accountant role, and the createProduct
object of the public API is called, this error will be returned.
{
"errors": [
{
"message": "global.businessErrors.authorizationPolicy",
"locations": [
{
"line": 1,
"column": 51
}
],
"path": [
"createProduct"
],
"extensions": {
"details": "add-product"
}
}
],
"data": {
"createProduct": null
}
}
- The message will always contain
global.businessErrors.AuthorizationPolicy
. -
Detailed information about the unauthorized policy can be found in:
"extensions": { "details": "add-product" }
Predicting User Permissions for Actions
For example, for a user with a read-only
role, it’s pointless to offer a Create
, Modify
, or Delete
button.
It’s preferable to disable or hide the button rather than allowing the user to enter data only to receive a message that the action is denied.
To achieve this, the API resources overview / User Access Policy Check action allows passing in parameters like object names (e.g., mutation createCustomer
or deleteSalesQuote
, query accountingAccounts
), and the API will return a true or false for each object name for the current user.
For instance, if the response for the createCustomer
parameter is false, it will be possible to act on the application front to disable or remove the Create a Customer
button or to inform with a message that this action will not be available.