Sander Knijn

My feedback

  1. 9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  API Management » Security  ·  Flag idea as inappropriate…  ·  Admin →

    We will introduce a new version of the management API that would “hide” secrets from “reader” users. We will also introduce an explicit gesture to disable older versions of the API on a per API Management service instance basis.

    An error occurred while saving the comment
    Sander Knijn commented  · 

    I suggest Microsoft creates a new role 'API Management Publisher Rol - Read Only' and give similar permissions as 'API Management Service Reader Role' but with a NotAction on Microsoft.ApiManagement/service/products/subscriptions/read.

    Its strange these easy things are not part of the product.

    An error occurred while saving the comment
    Sander Knijn commented  · 

    Created a support case for this: 120061224001636.

    Anwser from Microsoft:

    We have engaged the APIM Product Group team in order to gain some deeper insights into the reported issue.
    They have provided an update that the ability to read subscription keys from products (an action which is defined as Microsoft.ApiManagement/service/products/subscriptions/read) is allowed by default for users having the 'API Management Service Reader Role'. Same is the case for navigating to the keys via APIs/Subscriptions.
    As suggested in the service request verbatim, you can create a custom RBAC role and remove this action.
    To answer your other query, the action Microsoft.ApiManagement/service/users/keys/read does not correspond to reading subscription keys. The 2 actions are completely different.
    Every user has two "secrets", a primary and a secondary. These secrets are used to generate an encrypted SSO token that users can use to access the developer portal. These keys are not related to the subscription keys that users use to call the APIs. The /service/users/keys/read permission corresponds to the ability to read the user secrets, whereas the /service/products/subscriptions/read permission corresponds to reading subscription keys under products, which is allowed by default under this role.
    Additionally, the Microsoft.ApiManagement/service/users/subscriptions/read permission corresponds to the ability to read subscriptions associated with users via the "Users" blade on the Portal, which is also allowed by default under this role.

    So... in short you need to create your own custom role for this and will have to maintain this manually when new features are built. A built-in group is not available

    Sander Knijn supported this idea  · 
  2. 455 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  11 comments  ·  API Management » Service management  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Sander Knijn commented  · 

    This comment is from Microsoft:

    There are few changes the APIM team is looking at:
    1st is to move to System.Text.Json.
    2nd is to add the Schema validation functionality into System.Text.Json.

    Unfortunately there is no timeline (https://github.com/dotnet/runtime/issues/29887) on this as the Json Schema validation specifications are still in draft.

    Sander Knijn supported this idea  · 
  3. 21 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  API Management » Policies  ·  Flag idea as inappropriate…  ·  Admin →
    Sander Knijn supported this idea  · 

Feedback and Knowledge Base