Securing webMethods Integration Cloud and API Cloud

Author: Vivek Kumar (vivk@softwareag.com), Srikanth Prathipati (srpr@softwareag.com)

1.Introduction

webMethods Integration Cloud and API Cloud (Gateway and Portal) are part of iPaaS (integration Platform-as-a-Service) offering from Software AG. This document covers the User Management, Access Profiles, Project Permissions, ACLs (Access Control List) to secure the platform (both Integration Cloud and API Cloud).

  • Audience

This article is intended for Cloud Integration Architects, Platform Administrators who would like to secure the platform with the proper Access Permissions.

  • Overview

Integration Cloud supports three dimensional permissions matrix.

  • Access Profile: Access Profile specifies  a collection of permissions that can be applied to multiple users.
  • Project Permission: Project Permissions are used to define custom project specific administrative permissions.
  • Access Control Lists: Access Control Lists are used to control the execution permission of an Integration. ACL, through the assigned Access Profiles, specifies the users who are granted the Execute Integration permission.

Users, Access Profile and Access Control Lists are linked with each other whereas Project permissions are linked with Projects and Users. Section 3 provides more details on this.

2. User Management

User Management for all the iPaaS offerings (Integration Cloud, API Gateway, Portal) are managed from Integration Cloud. In future the same would be offered from Software AG Cloud. Integration Cloud also supports Single Sign-On (SSO) to allow users to access the platform from Corportate Identity Provider (IDP). Users identities can be imported into the platform with the SSO configurations. 

  • IDP Users:
    • Users Identities are imported from IDP when the above configuration is enabled
    • When users logs in SSO they are authenticated with SAML tokens against IDP
    • It is recommended to use IDP users for Platform User Interface (UI) login only but not for API/Integration execution access
  • Native Users:
    • Native user (Tenant Administrator) is provisioned during tenant creation.
    • Native user can be used for both UI and API/Integration access.
    • Follow the recommended password policies for the Native users.

For creating the New User follow the below steps from Settings. If you want to create user for a Developer, make sure the user is assigned to right Project Permissions. Access Profile can be assigned with minimum functional permissions. This would explained in Section.5 – Sample Use cases.

  • Audit Log : A security Audit Log entry will be audited when a user (IDP/Native) logs into the platform/ access the API/Integration from an invocation channel. In addition to that all platform operation would also be audited. For example, logs related to additions, deletions, updations, export, schedule, skip, login, logout, password changes, record access attempts, access violations, deployments, restart Integration executions, resume Integration executions, etc.

3. Securing Integration Cloud

  • Access Profiles: Access Profile specifies a collection of functional permissions that can be applied to multiple users.
    • Associated with Permission Matrix
      • Administrative permissions to be associated with Access Profile is classified into three categories;
        • Global Permissions
        • Functional Controls
        • Project Permissions

For example; Please refer to appropriate configurations from the below screenshot

  • The created Access Profile should be associated with at-least one stage. Please refer to appropriate configuration for the below screenshot

  • Many to many mappings with ACL. Access Profiles can be mapped to multiple ACLs. 

It is recommended to have different Access Profiles for Platform Administrator, Developer and DevOps Engineers. DevOps engineer can have different Access Profile for Monitoring purpose (read only).

Types

Description

Recommended?

Comments

Global Permissions

 

 

User Management

Allow users to Add, Update, Delete Users, or assign users to Access Profiles

Case by case

For Platform Administrators

Access Control

Allow a user to modify Access Profiles, edit ACLs,
specify user application access rights

Case by case

 For Platform Administrators

Manage Personal Setup

Allow a user to modify the personal information,
and generate or edit the user's own certificate.

Yes

 

Manage Company Capabilities

Allow users to modify the company information.

Case by case

 For Platform Administrators

Allow User Interface Access

Allow users to log in to Integration Cloud and access the user interface

Yes

Except for API users

Manage Audit Log

Allow users to view the Audit Log

Case by case

For Platform Administraror

Functional Controls

Deploy

Allow users to Deploy assets

Case by case

DevOps users

Export

Allow users to Export assets

Yes

Except Monitor users

Stages Administer

Allow users to Manage Stages (create/delete)

Case by case

 For Platform Administrators

Advanced Security Administer

Allow users to configure advanced security

Case by case

 For Platform Administrators

Upgrade

Allow users to upgrade Applications

Case by case

 For Platform Administrators

Solution Create/Update/Delete

Allow users to Create/Update/Delete

Case by case

 For Platform Administrators

Project Permissions

Accounts Create/Update/Delete

Allow users to Create/Update/Delete Account

Yes

Except for API access and Monitor Users

Operations Create/Update/Delete

Allow users to Create/Update/Delete Operations

Yes

 Except for API access and Monitor Users

Reference Data Create/Update/Delete

Allow users to Create/Update/Delete Reference Data

Yes

 Except for API access and Monitor Users

Document Type Create/Update/Delete

Allow users to Create/Update/Delete Document Type

Yes

 Except for API access and Monitor Users

Integrations Create/Update/Delete/Execute

Allow users to Create/Update/Delete Integrations

Yes

 Except for API access and Monitor Users

REST APIs Create/Update/Delete/Execute

Allow users to Create/Update/Delete REST APIs

Yes

 Except for API access and Monitor Users

SOAP APIs Create/Update/Delete/Execute

Allow users to Create/Update/Delete SOAP APIs

Yes

 Except for API access and Monitor Users

Listeners Create/Update/Delete

Allow users to Create/Update/Delete Listeners

Yes

 Except for API access and Monitor Users

  • Project Permission:

Project permissions are used to associate permissions with projects. Any new project created is automatically associated with the "Developer" project permission profile. If a project permission profile is associated with a user on the user profile page, the user can perform only the permitted tasks in the mapped project.

  • Associated with Project Permission Matrix. For example; Please refer to appropriate configurations from the below screenshot.

  • Project permission can be mapped to multiple users.
  • It is recommended to use Project Permissions only for development activities and hence it is not required to associate this for stages.
  • Access Control Lists:

Use Access Control Lists (ACLs) to control the execution permission of an Integration. ACL can be mapped with multiple Access Profiles. It is recommended use custom ACLs (not Default) for API/Integration access.

  • Sample Permission Matrix

Access Profile/Project permission/Environment
Matrix

Development

Test

Prelive

Live

Administrator

Yes

Yes

Yes

Yes

Developer/Project Permissions

Yes

   

DevOps

Yes

Yes

Yes

Yes

4. Securing API Cloud

  • Access Profiles: API Management requires the below permissions for the Access Profile.

  • The created Access Profile should be associated with at-least one stage as mentioned in the earlier sections. It is recommended to have different Access Profiles for API Gateway Administrator, API Gateway Providers, API Portal Administrators and API Portal Providers. These are offered by the platform out of the box. Administrative permissions that can be associated with different Access Profiles are below.

Types

Description

Recommended?

Comments

API GATEWAY

Functional Controls

APIs Manage

To create and manage APIs.

Yes

 Except for Monitor role

APIs Publish to API Portal

To publish assets to API Portal.

Yes

  Except for Monitor role

APIs Activate/Deactive

To activate, deactivate and manage APIs.

Yes

  Except for Monitor role

Applications Manage

To create and manage applications and register applications with the APIs.

Yes

  Except for Monitor role

Manage aliases

To create and manage aliases.

Yes

  Except for Monitor role

Manage Global Policies

To apply a global policy to all APIs or the selected set of APIs.

Case by case

API Administrators only

Activate/Deactivate Global Policies

To activate and deactivate global policies.

Case by case

 API Administrators only

Manage Policy Templates

To apply one or more policy templates to an API.

Yes

 Except for Monitor role

Manage Threat Protection Policies

To prevent malicious attacks on applications that typically involve large, recursive payloads, and SQL injections.

Case by case

 API Administrators only

Package & Plans Manage

To create packages and plans, associate a plan with a package, and associate APIs with a package.

Case by case

 API Administrators only

Package & Plans Activate/Deactivate

To activate and deactivate packages.

Case by case

 API Administrators only

Import Assets

To import already exported APIs, application, policies, and aliases by selecting Username > Import in API Gateway.

Yes

 API Developer

Export Assets

To export assets to your local system.

Yes

 API Developer

View Configurations

To create and manage administration configurations.

Yes

 This is the only configuration to be enabled for Monitor role

Manage General Configurations

To manage general configurations.

Case by case

API Administrators only

Manage Security Configurations

To create and manage security configurations.

Case by case

API Administrators only

Manage Destination Configurations

To publish events and performance metrics data to the configured destinations.

Case by case

 API Administrators only

Manage System Settings

To create and manage system settings.

Case by case

 API Administrators only

Purge/Restore Runtime Events

To purge and restore events from the API Gateway store by setting the required date or duration in API Gateway.

Case by case

 API Administrators only

Manage Service Result Cache

To manage caching of the results of API invocations depending on the caching criteria defined.

Case by case

 API Administrators only

Manage Promotions

To add, modify, and delete API Gateway stages, or move API Gateway assets from the source stage to one or more target stages

Case by case

DevOps

API PORTAL

Administrator

To manage all API Portal administrative tasks.

Case by case

API Administrators only

Provider

To manage all API Portal provider tasks.

Yes

Except for Monitor role 

Based on the public/private communities managed on API Portal, more fine-grained roles can be provisioned.

  • Access Control Lists: Use Access Control Lists (ACLs) to control the execution permission of an Integration. ACL, through the assigned Access Profiles, specifies the users who are granted the Execute Integration permission.

  • Sample Permission Matrix

Access Profile/Environment
 Matrix

Development

Test

Prelive

Live

API Gateway
Administrators

Yes

Yes

Yes

Yes

Developer

Yes

API Portal
Administrators

Yes

Yes

Yes

Yes

API Portal
Provider

Yes

Yes

Yes

Yes

DevOps

Yes

Yes

Yes

Yes

5. Sample Use case - Creating Access Profile for Developer:

  • Access Profile for Developer requires – project permissions for developing integrations, APIs, Applications (if the restriction needs to be applied on certain projects). Default Project is in general is intended for shared access between multiple development teams. Hence this is offered as part of Access Profile. An Access Profile can be created with such permission as shown below and can be associated with the developers.
  • Go to Settings > Access Profiles > Add New Access Profile > Administrative Permissions and select the default permissions to be assigned for developer in webMethods Integration Cloud.

Please find below sample for the same.

From API Management prespective, Developer would also need permision to Manage the APIs (create, update, delete). This is required especially on Developement API Gateway Tenant. This requires the below permissions.

  • In addition to this, new Project permissions can be created for each Project. To create the Project Permission,

Go to Settings > Project Permissions > Add New Project Permissions. Select the Project to give permissions and Click on ‘+‘ icon. Select all the permissions.

  • Associate Access Profile and Project Permission to Users: The Access Profile created above has to be mapped with the User. To create the user with associated Access Profile; Go to Settings > Users > Add New User, select the Access Profile and required Project Permission