4.2 Configuring the Access Manager Scopes and Roles Usage in Secure API Manager

To allow Secure API Manager to read and access the Access Manager roles and scopes is a two-step process. First, you must create an attribute map in Access Manager. Next, you must create a scope for a single API or multiple APIs that you want to protect. You perform the first step once but you must create a scope for the APIs or specific API endpoints that you want to protect.

4.2.1 Creating an Attribute Map in Access Manager for Secure API Manager

To control access to the APIs that are available in the Store you must create an attribute map. The attribute maps allows the Secure API Manager token validator to access the Access Manager user’s roles to ensure that the user has the correct roles to access an API or specific API endpoints.

To create an attribute map in Access Manager:

From the Access Manager Dashboard, click Devices, then select Identity Servers.
Click the Shared Settings tab.
Click New to create a new attribute map.
Specify a unique name that you can remember and that you associate with Secure API Manager, such as ForSAPIMAllUserRoles.
Click Finish.
Select Support WSTrust and Oauth, then click Next at the end of the page.
Click New to add an attribute definition to the map.
Select Local attribute, then select All Roles.
Click OK to save the attribute map entry, then click Finish to complete the creation of the attribute map.

4.2.2 Creating a Scope for One or More APIs in Access Manager

You must create a scope for one or more APIs or API endpoints that you want to protect with Access Manager. You can use the same scope for multiple APIs or for specific API endpoints that cross multiple APIs in Secure API Manager.

From the Dashboard in Access Manager, click the name of the identity server that you associated with Secure API Manager during the deployment. For more information, see Completing the Integration Between Secure API Manager and Access Manager in the NetIQ Secure API Manager 1.1 Installation Guide.
Click the OAuth and OpenID Connect tab.
On the menu, click Resource Servers.
Create a new resource server for the APIs or API endpoints as follows:
1. Click New.
2. Specify a name for the resource server that represents the APIs or API endpoints so that it is easy to remember.
3. Click Finish to create the new resource server.
4. Repeat Step 4.a through Step 4.c to create a new resource server for the APIs or API endpoints you want to protect.
Add a scope to each resource server for the APIs or API endpoints as follows:
1. On the Resource Server page, click the name of the appropriate resource server.
2. Click Scopes.
3. Click New.
4. Specify a scope name and description. Ensure that you use something that represents the APIs or API endpoints.
5. Click User Attributes, then select the Require user permission option. Ensure that you select this option, otherwise the integration fails.
6. Click Next at the end of the page.
7. On the Step 2 page, select the attribute map you created in Step 4.
8. Click Finish at the end of the page.
9. Repeat Step 5.a through Step 5.h for each scope that you need to create for each resource server.
Update the identity server cluster with the new resource servers and scopes as follows:
1. From the Dashboard, click Devices > Identity Servers.
2. In the Status column, click Update All.
3. Click OK.
Update Secure API Manager to have the roles and scopes appear as follows:
1. Log in to the appliance management console as vaadmin.
```
https://ip-address-or-dns-name-appliance:9443
```
2. Click Deployment Manager.
3. Click the Access Manager Integration tab.
4. Click Save.
(Optional) Create any role policies that might be required for API access. The set of roles that the API developers see in the Publisher comes from the list of all configured role policies in Access Manager. For more information, see Role Policies in the NetIQ Access Manager 4.5 Administration Guide.