Data Masking configuration for API specific level permission is not working

anonymous · October 6, 2020, 12:08pm

Our administrator gave developers permission for data masking on organization level and on api level. However I still get 403 forbidden on the api level masking configuration. The organization level configuration is working.

I checked the permission reference sheet

https://docs.apigee.com/api-platform/system-administration/permissions#data-masks

It has the path

/applications/*/maskconfigs

It seems different from the API provided in the documentation

https://docs.apigee.com/api-platform/security/data-masking

which has the path

[https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs](https://api.enterprise.apigee.com/v1/o/{org_name}/apis/{api_name}/maskconfigs)

dchiesa1 · October 6, 2020, 2:41pm

Show the exact permissions you have on the role, please?

anonymous · October 6, 2020, 3:08pm

I’m one of the Developers. I’m not the admin. Is there a way to get my permissions? Anyway what he has given me is data-masks permissions for both organizational level and api level.

anonymous · October 7, 2020, 7:16am

I contacted him and he just said that he has given me access to everything related to data masks. Could this be a bug? knowing that permission reference has a different API than what is actually needed?

kurtkanaskie · October 9, 2020, 5:33pm

Hi @Ghassan Barghouti,

Firstly, the term applications in the resource permissions applies to apis in the Edge API URL, that’s a historical artifact.

Secondly, there appears to be an issue with maskconfigs and custom roles at the API Proxy level.

I created a custom role AllowMaskconfig and set the following permissions which did not work.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] },
        { "path": "/applications/features-v1/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/applications/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }
    ]
}

Then, I tried this, which did work.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/maskconfigs/*", "permissions": [ "get", "put", "delete" ] },
        { "path": "/*/features-v1/maskconfigs", "permissions": [ "get", "put" ] },
        { "path": "/*/features-v1/maskconfigs/*", "permissions": [ "get", "put", "delete" ] }
    ]
}

If you assign this role to a user in the built-in User role, that user will now be able to create maskconfigs at the proxy level just for the features-v1 proxy. And if you change that path element to *, they can create maskconfigs for all proxies.

You can prevent access using a DisallowMaskconfig role with these permissions.

{
    "resourcePermission": [
        { "path": "/maskconfigs", "permissions": [] },
        { "path": "/maskconfigs/*", "permissions": [] },
        { "path": "/*/*/maskconfigs", "permissions": [] },
        { "path": "/*/*/maskconfigs/*", "permissions": [] }
    ]
}

Always fun playing with custom roles!

anonymous · October 10, 2020, 6:59am

Thank you. I guess apigee team need to change that documentation since it is misleading. when /apis/*/maskconfigs were given as a permission it worked. /applications didn’t although it said in the documentation that this is what needs to be given to get access for mask configs.

Topic		Replies	Views
Not able to give access for creating Mask Configs - API Proxy Level to a custom role Apigee api-runtime	2	3	October 17, 2017
Custom role for datamasking issue Apigee api-runtime	0	3	February 13, 2021
Issue with datamask custom role permissions Apigee apigee-general	3	3	November 1, 2022

Data Masking configuration for API specific level permission is not working

AI Suggested topics