API Access

Rachel Ellis

Hi All,

Does anyone know if it is possible and/or how to enforce least privileged access to third-party integrations? Our security team is hesitant to allow us to use any integration if we can't limit the vendor's access to only the data types that they have a business need to use. Or maybe is this something that is already reviewed and limited by Blackbaud? We don't want these vendors to have access to everything available in the API just what they need to function properly.

Thank you!

Ben Wong

Hi @Rachel Ellis, this is an excellent question. I just talked about this at the Blackbaud Developer's conference today, so this will serve as a good follow up to that. The short answer is, yes, SKY API supports the principle of least privilege. The easiest way to do it is via the SKY application's scope, which can be set by the developer. Here is the documentation on scopes:

SKY API calls are made in context of the consenting user's permissions. The consenting user is the user who is authorizing the SKY application to use SKY API to access data within your Blackbaud solution (RENXT). Scopes are the easiest way to limit the data access of the app. Note that this is something the developer needs to set.

Another approach you can take, is to set up a “service principal user” with limited permissions in RENXT, and use that user account to authorize the app. Part if the SKY API authorization flow involves a user to sign in to authorize the app using SKY API. If you sign in with the service principal user account with limited permissions, the app will operate with those same permissions.

I hope that helps!

Rachel Ellis

@Ben Wong It does! Thank you for this!