4.2 Configuring the Access Manager Scopes and Roles Usage in Secure API Manager

By default, Secure API Manager creates a scope named APIManagerScope. You include the scope name in the Authorization Code grant type that the OAuth clients use to call the API. The OAuth2 protocol refers to the application, service, or client as a client.

Process with the following section, if you need to create a different scope. Otherwise, proceed to Restricting Access to APIs with Access Manager Scopes and Roles in the Publisher.

4.2.1 Creating an Attribute Map in Access Manager for Secure API Manager

You create an attribute map to control access to the APIs that are available in the Store. The attribute maps allows the Secure API Manager token validator to access the Access Manager user’s roles to ensure that the user has the correct roles to access an API or specific API endpoints.

To create an attribute map in Access Manager:

  1. From the Access Manager Dashboard, click Devices, then select Identity Servers.

  2. Click the Shared Settings tab.

  3. Click New to create a new attribute map.

  4. Specify a unique name that you can remember and that you associate with Secure API Manager, such as ForSAPIMAllUserRoles.

  5. Click Finish.

  6. Select Support WSTrust and Oauth, then click Next at the end of the page.

  7. Click New to add an attribute definition to the map.

  8. Select Local attribute, then select All Roles.

  9. Click OK to save the attribute map entry, then click Finish to complete the creation of the attribute map.

4.2.2 Creating a Scope for One or More APIs in Access Manager

You create a scope for one or more APIs or API endpoints that you want to protect with Access Manager. You can use the same scope for multiple APIs or for specific API endpoints that cross multiple APIs in Secure API Manager.

  1. From the Dashboard in Access Manager, click the Identity Server cluster you associated with the API Gateway cluster.

  2. Click the OAuth and OpenID Connect tab.

  3. On the menu, click Resource Servers.

  4. Create a new resource server for the APIs or API endpoints as follows:

    1. Click New.

    2. Specify a name for the resource server that represents the APIs or API endpoints so that it is easy to remember.

    3. Click Finish to create the new resource server.

    4. Repeat Step 4.a through Step 4.c to create a new resource server for the APIs or API endpoints you want to protect.

  5. Add a scope to each resource server for the APIs or API endpoints as follows:

    1. On the Resource Server page, click the name of the appropriate resource server.

    2. Click Scopes.

    3. Click New.

    4. Specify a scope name and description. Ensure that you use something that represents the APIs or API endpoints.

    5. Click User Attributes, then select the Require user permission option. Ensure that you select this option, otherwise the integration fails.

    6. Click Next at the end of the page.

    7. On the Step 2 page, select the attribute map you created in Step 4.

    8. Click Finish at the end of the page.

    9. Repeat Step 5.a through Step 5.h for each scope that you need to create for each resource server.

  6. Update the Identity Server cluster with the new resource servers and scopes as follows:

    1. From the Dashboard, click Devices > Identity Servers.

    2. In the Status column, click Update All.

    3. Click OK.

  7. Update Secure API Manager to have the roles and scopes appear as follows:

    1. From the Access Manager Dashboard, click the appropriate API Gateway cluster.

    2. Click Actions > Update All.

  8. (Optional) Create any role policies that might be required for API access. The set of roles that the API developers see in the Publisher comes from the list of all configured role policies in Access Manager.