Granular Access Control by Route and Content in Apigee - Best Practices

Google Cloud Apigee
1

Hi everyone,

I’m implementing granular access control in Apigee and need to restrict access to specific API routes based on the user or request content.

For example:

  • Route /products: Accessible only to User A
  • Route /clients: Accessible to User A and B
  • Route /orders: Accessible to all authenticated users

Questions:

  1. What is Apigee’s recommended approach for implementing granular access control per route or based on content (JSON/XML payload)?
  2. Is there any native policy in Apigee that supports this type of restriction, or should it be implemented using a JavaScript or custom policy?
  3. How do companies typically handle this type of requirement in Apigee in enterprise environments?

Thanks.

2

Hello @Guilherme_Henrique1 ,

How are you currently implementing authentication/authorization to your service set - is it API key based, token based, etc?

I would recommend something along the lines of as follows:

  • For user-specific access control, you should be able to verify a key/token/etc which logically links to a developer (via custom attributes, API Product, claims, etc). If the user does not have the proper toggle/scope/etc (can be conditionalized in Apigee) you can deny the call
  • Content would be a bit different - typically you would use an extract variable policy (ie: parse the message) and perform a condition based on the information in the JSON/XML payload. Token-based access control would be preferred, but we can still support either as needed

Hope this helps!

2 Likes
3

Hello,

Thanks for the clarification!

Currently, I’m using Basic Authentication + an API Key (token) to authorize all requests to the Apigee proxy. Without this token, no request is allowed to pass through.

How can I identify which user is making the request for this content?
Is there any example basic or reference that demonstrates how to implement this kind of control?

For example to capture the fields of json objects by the user:

image
image493×730 21.3 KB

Thanks again for your help!

4

Hey @Guilherme_Henrique1,

Within the VerifyAPIKey context (see more here: VerifyAPIKey policy  |  Apigee  |  Google Cloud) a set of flow variables are defined which logically link to a developer (via ID, email, etc)

Through those flow variables noted, you can easily conditionalize/error out invalid requests

Let me know if this helps!

1 Like