Introduction: This document describes that how give different permissions of API operations to different consumers in SAP API Management for the same API proxy using KVM and Java Script policy.

First let me tell you the standard way to restrict the operations for a consumer.

Let’s take an example of Business Partner API of S/4 Hana

1. Open the API proxy for Business Partner API
2. Here, you can see multiple resources with multiple operations
3. Click on edit resources.
4. Select any resource and delete the operations that you don’t want
5. Save it and deploy API proxy, later add this API proxy to a product and this product will be subscribed by a consumer.

Now if any other consumer required access of the business partner API with some other combination of resource and operation, then repeat the above process again from 1 to 5

So, all combinations of resources and operations will have a separate API proxy and a separate product which will point the same API at back end.(Refer the below picture)

Another approach is a custom way to achieve the same where only one API proxy will have all combinations of resources and operations and operation+resource access permission can be managed by KVM and java script policies.(Refer the below picture)

Here, i am going to use similar approach like my earlier blog

Benefits to go with this approach

1. No need to create multiple API proxies and Products.
2. Adding a new consumer to existing API proxy is easy and fast, because no development work is required
3. Maintenance and enhancement of API proxy is easy because no multiple proxies for same backend API
4. API permissions are configurable.

Here i am going to add policies to the same API proxy which i have used in my earlier blog which explains a custom way to manage IP addresses and IP address ranges.

Before going further, let me create one KVM called “APIPermission” and put allowed operation+resource of one consumer, where key is consumer name and value is combinations of operation and resource.

Format of the combination: Operation/Resource 

Example, GET/data where GET is Operation and “data” is resource of API.

For multiple combinations, separate each combination with “,”

Example, GET/data,DELETE/data

Let me explain you with the help of below picture that what exactly i am going to do here.

In the above picture,

1. Consumer is sending request to APIM with API Key in header.
2. Verify API Key policy will verify the key sent by the consumer and if found ok then generate consumer name of the associated API key.
3. Based on consumer name, KVM Operation policy will read KVM and assign value to “Permission” variable.
4. Now, java script policy will compare the requested operation and resource with Permission value.
5. If request is valid then flow will go to Target End Point else Raise Fault policy will execute with custom response message.

Let’s open the policy editor

1. As you can see, there are seven policies at pre flow of Proxy End Point.

I have already explained first four policies, so let’s start with fifth one

2 “GetPermission” is a KVM Operation policy, which will read APIPermission KVM with “verifyapikey.VAPIK.DisplayName” as key and after getting the value of that KVM key, it will assign that value to variable “var.Permission“.

4. “VerifyAPIPermission” is a java script policy, which is referring java script “VerifyAPIPermissions.js“, VerifyAPIPermissions java script will take operation and resource address from request  and try to find it in var.Permission, if  found then  property “javascript.VerifyAPIPermission.failed” will set with false else set with true.

VerifyPermissions.js

Code VerifyAPIPermissions.js

var reqResource=context.getVariable("proxy.pathsuffix");
var httpverb=context.getVariable("request.verb");
var permission=context.getVariable("var.AllowedAPI");
var index= reqResource.substring(1).indexOf("/");

var resource="";
if(index == -1)
resource =httpverb+reqResource.substring(0);
else
resource =httpverb+reqResource.substring(0,index+1);

if (!(permission.includes(resource)))
throw "No permission";

5. “RFNoPermission” is a raise fault policy which will execute if “javascript.VerifyAPIPermission.failed” is equal to true which means Java script policy is failed due to no permission.

In condition string “javascript.VerifyAPIPermission.failed equals true”

Write any custom message in payload like “No permission for requested operation or resource”.

6. Update policy, save proxy changes and deploy it.

Let’s do some positive and negative testing.

Positive testing: Getting API response because get permission of “data”  resource is configured in KVM.

Negative testing: Raise fault response is coming because put permission of “data”  resource is not configured in KVM.

Conclusion: This document explained that how to use KVM policy, How to configure API permissions in KVM and read them at run time.