Fine-tuning API access for Education

James Phieffer

I am a student who is currently beginning to work on an application as a part of a senior project. My application needs access to some specific endpoints such as (not necessarily limited to):

• all sections
• students by section
• master calendar

et cetera. However, the IT department will not give me access unless there is a way to restrict the access to just the endpoints needed (they do not want me being able to access sensitive information about other students such as their grades and disciplinary history). Hopefully, if the student was signed into their own account, they could access their own grades, but the general API should not be able to do this. Is there any way to restrict access in such a way? Help would be greatly appreciated.

Todd DeSchuiteneer

Hi @James Phieffer, this sounds like a really great project and we're excited to see students using the API. Unfortunately, the endpoints referenced are accessed based on roles listed on the endpoint documentation. These particular endpoints would require a manager role that would allow you access to other student information. There is not current way to restrict access to certain endpoints besides the role access already in place.

Stephen Boyle

@James Phieffer
Hi James. Todd's right, as is your school. Data security is one of the most important things to keep in mind when creating an app that accesses someone else's data.

The good news is that there are endpoints that are meant for Student users to call. These endpoints are meant for non-admin users, and have extra security built in. So, not only does the user need the correct role on their account, but the id used for the API call must be the same id as the logged-in user. That makes sure you are only requesting data for yourself and not some other student, and parent users can request data for any student where they have parental access.

For you to access these endpoints, you'll need a SKY Developer Account. It's the first step in our Getting Started documentation.

Some examples of endpoints for Student users are:

• GET Academics sections for student
• GET Academics assignments for student
• GET Directories and GET Directories results
• GET Content News Items and GET Content News categories
• GET Calendar for User
• GET Schedules - Meetings for a student
• All of the Core <x> endpoints, like GET Core years, are available to all users

Note that if an endpoint says “for <x>” it is meant for an end-user like a student. Endpoints meant for admin users usually have “by user” or “by role” or the like.

Stephen Boyle

@James Phieffer
Also note: Once you are set up with a dev account, you can test endpoints using the Try It button from the endpoint's documentation.