How do I restrict access to the Cherwell API/Web Service to non-Admin Users?
I want to ensure that Users aren't attempting to go around our admins to create/update business objects like Incident. We are on CSM version 9.1.1.
I'm not aware of a way to restrict access to this.
However, you may see who's logging into which modules in the Audit Log section of the Security page in the Administrator tool, which would allow you to view who's signing into the specific application for the API.
You could also possibly turn the relevant table into a view that Cherwell could consume as an external business object where you only show a list of users signing into restricted applications like the API.
I'd recommend making an internal policy somewhere that makes it known that users aren't allowed to be signing into the API to bypass the security measures in the tool, and that this would be unauthorized access etc.
The signins are logged - including the module they're signing into - so you would at least be able to find and penalize the individuals that were doing so if needed.
Bruce, There is one security setting that I know of that can completely block users from accessing the API/Web Services and it is controlled by Security Group. See Screenshot below. Also there is mention of this in the documentation as needing to be enabled if you are unable to access the resource. https://cherwellsupport.com/WebHelp/csm/en/9.2/content/suite_features/one-steps/web_service_good_to_know.html I hope this helps.
I believe the question is about sending API requests *into* cherwell from an external source, not sending API requests from Cherwell to an external server / application.
While there's a scenario where someone may utilize a one-step action to connect to Cherwell's API using a web service call, the solution suggested here doesn't prevent their user account from *authenticating* into Cherwell via Cherwell's API using a request sent outside of cherwell into cherwell's API.
The concern seems to be that someone will send an API command from an external system into Cherwell's REST or SOAP API to create a business object or update it in a way that they could not within the tool.
The solution of turning off someone's access to execute one-step actions related to out-bound web service calls does not - as currently defined - prevent them from signing into Cherwell via a separate application sending API calls into Cherwell - which is not necessarily done via a one-step because it can be done outside of cherwell from an external app sending the request(s) - and attempting to create records like Incidents or updating them via cherwell's API.
I'd love for Bruce to weigh in on this. Hopefully he can tell us if some of what the two of us have provided clarifies his issue and/or the solution. M@
Yes, Doug's take on this is correct. I'm sorry I didn't make that more clear initially.
I'm trying to prohibit users from using an external connection to send API requests into our on-prem instance of Cherwell. I was recently made aware this was happening when one of our users was asking me a question and he let it be known that he was using PowerShell to connect to the Cherwell API. He didn't get too far because he was only getting guids to return which prompted his question. If there's no way to restrict that sort of access, I'll have to go with Doug's recommendation to get a policy crafted and published.
Thank you both for the replies!