By default, no users have access to the Publisher and the Store including the Access Manager administrative account. During the configuration of Secure API Manager, it creates two roles and two appmarks for the Publisher and the Store in Access Manager.
An appmark is an item specific to Access Manager. It acts as a bookmark for a resource protected or provided by Access Manager. Secure API Manager is an add-on solution to Access Manager and it takes advantage of this function to create to appmarks for you to use. By default, the appmarks are configured for your environment and there is no need to make any changes to the appmarks for them to work. If you need to make changes to the appmarks, you manage the appmarks through the Access Manager Administration Console Dashboard under Administration Tasks > Appmarks.
The following table lists the names of the appmarks and roles created for the Publisher and the Store.
Table 2-1 Names of the Roles and Appmarks for the Publisher and the Store
|
Appmark |
Role |
Notes |
|---|---|---|---|
|
Publisher |
APIs:Create/Publish |
ROLE_PUBLISHER |
Grants access to the appmark for the Publisher. |
|
|
SapimPublisher |
Grants access to the Publisher |
|
Store |
APIs:Subscribe |
ROLE_SUBSCRIBER |
Grants access to the appmark for the Store. |
|
|
SapimSubscriber |
Grants access to the Store. |
|
|
NAM_OAUTH2_ADMIN |
Allow access to see and manage the Access Manager OAuth clients in the Store. |
|
|
NAM_OUATH2_DEVELOPER |
Allow access to see and manage the Access Manager OAuth clients in the Store. |
Secure API Manager automatically creates and configures the appmarks for the Publisher and the Store using the roles. Users who do not have the appropriate role receive a “no access” error when they try to access the appmark.
To grant access to the Publisher and the Store:
Create accounts for anyone who wants access to the Publisher and the Subscriber in the Access Manager user store.
Add the appropriate role for the appropriate appmark to the accounts for the API developers in the Access Manager user store.
Publisher: Add the ROLE_PUBLISHER role.
Store: Add the ROLE_SUBSCRIBER role.
Publisher and Store: Add the ROLE_PUBLISHER role and the ROLE_SUBSCRIBER role.
Create role policies to grant access to the roles for the Publisher and the Store. For example:
Create a role policy that grants SapimPublisher to anyone who uses the Publisher.
Create a role policy that grants SapimSubscriber, NAM_OAUTH2_ADMIN, and NAM_OAUTH2_DEVELOPERS to anyone who uses the Store.
Inform users how to access the appmarks through the Access Manager user portal. The default URL is:
https://dns-name-identity-server:8443/nidp/portal
By granting the roles lists in Step 3 to the API developers, they can view and manage the Access Manager OAuth clients in the Store without granting them access to the Access Manager Administration Console. This allows the API developers to create and register the required OAuth clients for the APIs.