Fine-Grained Access Permission For Data Service

News Knowledge Base
,
1

How to configure Client-credential method for accessing Data Service resources from an External Application using Fine-Grained Access?

Configuring Fine-grained Access for External Apps:

User credentials allow an external application to access Data Service resources by using its own credentials, instead of impersonating a user.

When the external application requests resources, Data Service enforces that the application itself has authorization to perform an action since there is no user involved in the authentication.

Creating External Apps: To grant access to all entities under a tenant for an external app, follow these steps in Data Service.

  1. Go to Admin > External Applications. The External Applications page is displayed.
  2. Click Add Application, then set Application Name and click Add.

  1. Create a Confidential application as follows and click on 'Add'.


  1. Note the App ID and App Secret for the External app created

image.png



Adding External Apps to a Tenant: To grant access to all entities under a tenant for an external app, follow these steps in Data Service,

  1. Go to Click on the menu icon at the top of the Entity List page and click on Manage Access.

  1. Click on Assign Roles

  1. Select the external application created above and assign required roles under Select Roles, then click on Save.

  1. In the list of the "Assign Roles" tab, make sure that the role "Data Reader" is assigned to the external application.


Adding External Apps to an Entity: To control access rights on an entity-by-entity basis, follow these steps in Data Service,

  1. Go to Click on the menu icon at the top of the Entity List page and click on Manage Access.
  2. Click Create New Role.

  1. Set role name and required access permissions under Data Access Permissions, then click Save

  1. Make sure that created custom role is listed in Roles tab

  1. Click on Assign Roles
  2. Select the external application and assign a role created above under Select Roles, then click on Save.

Fine-Grained Access: For confidential applications with fine-grained access configured via Data Service, request the DataService.Default scope to get an access token, which allows the application to check for assignments made in Data Service, at the tenant and entity levels. The application can then access the resources it has been granted access to, in those tenants and entities.