Users & User management | Sage Active Developer

Users

Represents a list of users associated with the current organization.
Users may have different roles based on their profile.
Details about individual users, such as authentication information and full name, are provided in the specific fields of this resource.

Additionally, each user has an associated application language, which defines their preferred language within the application.

Role Management and Access to Business in Public API

User Management Unleashed: Sage Active Public API's Role-Based Innovation

All Videos

Explore the next level of secure, role-based access control with Sage Active's Public API.

A new era of intuitive application development awaits.

The assignment of roles to users and their access to businesses (known as ‘organization’ in the API context) enables restriction of data access based on user roles.

The public API must apply the same policies defined in these roles to align with the behavior of the Sage Active application.

Examples

Example 1
If a user has only the Accountant role, they cannot access features in Sage Active other than those related to accounting.
Similarly, the public API will restrict access for this user to accounting data only.
Example 2
If a user has only a read-only role, then the public API should not authorize mutations that allow creating, modifying, or deleting data.
Example 3 If a user has the right to view businesses A and B but not C, then the public API will only allow access to organizations A and B, but not C.

Error Management

If a query or mutation request is denied due to unauthorized rights, the API will return a message in the form:
Here, for example, if the user has only an Accountant role, and the createProduct object of the public API is called, this error will be returned.

{
    "errors": [
        {
            "message": "global.businessErrors.authorizationPolicy",
            "locations": [
                {
                    "line": 1,
                    "column": 51
                }
            ],
            "path": [
                "createProduct"
            ],
            "extensions": {
                "details": "add-product"
            }
        }
    ],
    "data": {
        "createProduct": null
    }
}

The message will always contain global.businessErrors.AuthorizationPolicy.

Detailed information about the unauthorized policy can be found in:

  "extensions": {
      "details": "add-product"
  }

Predicting User Permissions for Actions

From a user experience perspective, it’s necessary to inform the user via the interface if an action is not authorized.

For example, for a user with a read-only role, it’s pointless to offer a Create, Modify, or Delete button.
It’s preferable to disable or hide the button rather than allowing the user to enter data only to receive a message that the action is denied.

To achieve this, the API resources overview / User Access Policy Check action allows passing in parameters like object names (e.g., mutation createCustomer or deleteSalesQuote, query accountingAccounts), and the API will return a true or false for each object name for the current user.

For instance, if the response for the createCustomer parameter is false, it will be possible to act on the application front to disable or remove the Create a Customer button or to inform with a message that this action will not be available.