Versions Compared

Old Version 25

changes.mady.by.user Former user

Saved on

compared with

New Version 26

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: https://support.wso2.com/jira/browse/WSODOCINTERNAL-328

Let's take a look at some concepts and terminology that you need to know in order to follow the use cases.

...

  • Public: The API is visible to all users who are registered and anonymous (who use APIs without login), and can be advertised in multiple stores (central and non-WSO2 stores).

  • Restricted by Roles: The API is visible to it's tenant domain and only to the user roles that you specify. You should provide "roles"  seperated by commas in UI or as curl parameter when calling REST API creating or editing the API. 

  • Visible to my domain: The API is visible to all users who are registered to the API's tenant domain. This option is available only in a multi-tenanted environment. It's not applicable when there is only one active tenant (super tenant) in the system.

...

  • API creator and publisher roles can see all APIs in their tenant store even if you restrict access to them. This is because those roles have permission to view and edit all APIs in the API Publisher, and therefore, does not have to be restricted in the Store.
  • Anonymous users can only see APIs that have visibility as Public.
  • Registered users can see 
    • public APIs of all tenant domains  
    • all APIs in the registered user's tenant domain as long as the API is not restricted to a role that the user is assigned to

Image Added

When using the REST API directly, these are the visibility options that you can specify public, private and restricted which analogus to the visiblity options specified in UI as below.

API visiblity Level specified in UIAPI visiblity Level specified in REST API
Publicpublic i.e. visibility=public
Visible to my domainprivate i.e. visibility=private
Restricted by rolesrestricted i.e. visibility=restricted&roles=role1,role2,role3

Subscription availability

...

Cross-origin resource sharing  ( CORS ) is a mechanism that allows restricted resources (e.g., fonts, JavaScript) of a Web page to be requested from another domain outside the domain from which the resource originated.

The Swagger API Console that is integrated in the API Manager runs as a JavaScript client in the API Store and makes calls from the Store to the API Gateway. Therefore, if you have the API Store and Gateway running on different ports, enable CORS between them. 

...

Code Block
languagexml
<handlers>
   <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"/>
</handlers>

...

OAuth scopes

Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth 2 bearer token cannot grant access to any API resource beyond its associated scopes.

...