Carson Gregory
11/16/2021, 10:02 PMRobert Moucha
11/16/2021, 10:08 PMCarson Gregory
11/16/2021, 10:38 PMRobert Moucha
11/16/2021, 10:55 PMCarson Gregory
11/16/2021, 11:34 PMCarson Gregory
11/17/2021, 5:16 PMCarson Gregory
11/17/2021, 5:17 PMRobert Moucha
11/17/2021, 5:21 PMRobert Moucha
11/17/2021, 6:33 PM/api
(there's no need to block requests that do not start with /api
in URI):
GET /api/entities/organization
GET /api/entities/admin/organizations/{wsId}
GET /api/layout/workspaces/{wsId}/...
GET /api/entities/workspaces/{wsId}
GET /api/entities/workspaces/{wsId}/...
POST /api/actions/workspaces/{wsId}/execution/afm/execute
POST /api/actions/workspaces/{wsId|/execution/afm/computeValidObjects
GET /api/actions/workspaces/{wsId}/execution/afm/execute/result/...
Three dots at the end of URI mean that all nested resources should be allowed.
Note that our apps also call GET /api/entities/workspaces
that return all workspaces. This call is used for workspace list retrieval used on home page and workspace picker. So this call should be intercepted and its result somehow modified to return only allowed workspace (wsId
).
The list above should be sufficient for "read-only" workspace access. If you want to allow your users to modify workspace elements (create metrics, dashboards and reports), additional methods (POST, PUT, DELETE and PATCH) must be allowed on specific URIs. Please refer to our OpenAPI docs.Carson Gregory
11/17/2021, 10:13 PMRobert Moucha
11/18/2021, 12:23 AM