2.10 Grant Access to the Publisher and the Store

Access Manager Administration Console > Policies > Policies

By default, no users have access to the Publisher or Store, not even the Access Manager administrative account. When you configure Secure API Manager, it creates two roles and two appmarks for the Publisher and the Store in Access Manager.

IMPORTANT:Secure API Manager automatically creates the roles when you assign a role policy. Until you assign a role policy, the roles do not exist in the IDP.

An appmark is an item specific to Access Manager. It acts as a bookmark for a resource that is protected or provided by Access Manager. Secure API Manager is an add-on solution to Access Manager and it takes advantage of this function to create appmarks for you to use. By default, the appmarks are configured for your environment and there is no need to make any changes to the appmarks for them to work. If you need to make changes to the appmarks, you manage the appmarks through the Access Manager Administration Console Dashboard under Administration Tasks > Appmarks.

The following table lists the names of the appmarks and roles created for the Publisher and the Store. You must assign these roles to the users before they can access and use the Publisher and the Store.

Table 2-3 Names of the Roles and Appmarks for the Publisher and the Store

 

Appmark

Role

Notes

Publisher

APIs:Create/Publish

SapimPublisher

Grants access to the appmark for the Publisher.

Store

APIs:Subscribe

SapimSubscriber

Grants access to the appmark for the Store.

 

 

NAM_OAUTH2_ADMIN

Allows access to the API developers to create the Access Manager OAuth clients in the Store.

 

 

NAM_OAUTH2_DEVELOPER

Allows access to the API developers to see and access the Access Manager OAuth clients in the Store.

Secure API Manager automatically creates and configures the appmarks for the Publisher and the Store using the roles. Secure API Manager automatically creates the roles in the IDP when you assign a role policy that contains the roles. Users who do not have the appropriate role receive a “no access” error when they try to access the appmark.

To grant access to the Publisher and the Store:

  1. Create accounts for anyone who wants access to the Publisher and the Store in the Access Manager user store.

  2. Add the appropriate role for the appropriate appmark to the accounts for the API developers in the Access Manager user store.

    • Publisher: Add the SapimPublisher role.

    • Store: Add the SapimSubscriber role.

    • Publisher and Store: Add the SapimPublisher role and the SapimSubscriber role.

  3. Create role policies to grant access to the roles for the Publisher and the Store. For example:

    • Create a role policy that grants SapimPublisher to anyone who uses the Publisher.

    • Create a role policy that grants SapimSubscriber, NAM_OAUTH2_ADMIN, and NAM_OAUTH2_DEVELOPERS to anyone who uses the Store.

  4. Inform users how to access the appmarks through the Access Manager user portal. The default URL is:

    https://dns-name-identity-server:8443/nidp/portal

Granting the roles listed in Step 3 to the API developers enables them to view and manage the Access Manager OAuth clients in the Store without giving them access to the Access Manager Administration Console. This allows the API developers to create and register the required OAuth clients for the APIs.