Principle of least privilege

Bryce Whiteside

Hi. What is the least amount of privileges a user needs in order to sign in and authorize an application that uses the SKY API? Can a user have "Get" privileges without having "Post" privileges? Obviously, the application could exclude "Post" requests and only provide the user with "Get" request options. But the question, does the user still need "Post" request privileges? Thanks in advance for any insight on this.

Ben Lambert

Hi Bryce,


Great question - here are some points to note:


First, external SKY applications must be "connected" to a customer environment by an admin user before any end-users can provide authorization through the OAuth consent flow.  This admin step, which currently happens within the Control Panel -> Applications page (and we're working on moving this functionality to the Marketplace), doesn't provide any API access in and of itself.  You can think of this step as an early "install" gate that must be unlocked before any end-users can provide consent for API access.  If this step hasn't been performed, then end-users will see "This application has not been approved in your Blackbaud product" on the OAuth dialog.


Second, a key point to note is that all API access happens in the context of the consenting user account, and thus API calls will be subject to that user's security permissions.  If a user does not have permission to perform an action or access some data within the Blackbaud product, they won't be able to perform that action or access that data via an external application.  Since each organization has control over the security rights given to its users, this means that organizations can control what level of access they extend to external applications by controlling the permissions associated with the consenting user account.  So for example, you can create a dedicated Blackbaud ID account with very limited rights and use that account when providing consent during the OAuth flow, and the result will be that the external application will have the same limited rights..  


The minimal privileges needed for a user to provide consent for a application is that the user must have some level of access within the environment (meaning, the user must have accepted an invitation to the environment).  The application will then be able to make API calls in the context of that user account, and will be therefore subject to the permissions given to that account.  And of course, an admin can certainly change that user's permissions after consent (which will further restrict what the external application can do/see).


Finally, Blackbaud customer admins can "Remove" an application from the environment at any time.  This will prevent the application from acquiring any new access tokens (either via user-interactive consent, or via refreshing tokens).  Existing access tokens that have been issued will continue to function until they expire (up to 60 minutes).


One challenge we've seen is that, we currently don't expose an API or any details with the token that indicate the level of access for a given user.  So if a user doesn't have "Post" permission, the application will have no way of knowing until it tries to make a "Post" request (which will return a 403 Forbidden response).  While not ideal at the moment, it's an area of interest for us, and we do recommend that applications code defensively to handle 4xx responses.  


Hope this information is helpful, please let us know if you have more questions!

Bryce Whiteside

Hi Ben,


Thank you for your reply. I understand that an application using the SKY API will be limited by the user's security permissions. My question is, what is the minimal level of security permissions that a user can be given to use the SKY API? Is there a level that allows "Get" requests but not "Post" requests? Is there any documentation on the various levels of permissions? I'm asking because we want to create a user that can Get but not Post. Is that possible?


Thank you for your time and your insight,


Bryce

Ben Lambert

Hey Bryce,


There isn't a separate set of permissions for API access that differs from the permissions controlling the user's access.  So there's not really a minimum permission needed to use SKY API per se, it really depends on the endpoints being called.  Technically, since API calls happen in the context of an environment, the minimal requirement is just that the user have some level of access within the environment.


But that said, you can definitely craft a "read-only" user role, with whatever set of limited permissions you want to give.  Users in this role would not be able to perform write operations, whether via the UI or API.


Here's a link to the documentation that is currently available for defining security roles and permissions:
https://webfiles.blackbaud.com/files/support/helpfiles/rex/content/sec-workflow.html


(that link is for the help topic within Raiser's Edge NXT, there's a similar link for Financial Edge NXT if you need it)


Let me know if that answers your question, or if you need more info!

Bryce Whiteside

Hi Ben. That is what I needed. Thank you very much! Have a great day!