API Keys

Owned by Sam Im (Deactivated)
Last updated: Nov 20, 2017
2 min read
Target release
Epic
Document status
DRAFT
Document owner
Sam Im (Deactivated)
Technical LeadJosh Zamor

Goals/Scope

We need a way for an Administrator to create a special type of User which:

  • is for a system such as ColdTrace to use our API
  • doesn’t have a password (uses system generated web token)
  • ability to generate new API Key 
  • has basic permissions which are essentially Administrator type privileges to things like: Admin CCE, Admin Requisition etc.

We want to leverage our existing RBAC as much as possible for this. The screens however will have some significant differences from our current person-oriented screens.

Background

Assumptions

User Stories

#TitleUser StoryLabelImportanceJira ticket
1Manage API keysAs an administrator I need to manage API keys so that an external partner can access OpenLMIS.


Acceptance Criteria:

  1. Generate new API keys
  2. View history of API keys
  3. Remove/delete API keys (these are made inactive)

Must Have
2Manage multiple partners' API keys

As an administrator I want to assign API keys to different external partners who access OpenLMIS.

Acceptance Criteria:

  1. Partners are identified with a name in the API Key table (different partners have different API Keys depending on their access).

Nice to Have

Diagrams


Dependencies

DescriptionLink


Open Questions

Below is a list of questions to be addressed as a result of this requirements document:

#QuestionOutcomeStatus
1Should this process support the admin setting up a username for any new system that requests access? 
2What types of permissions will be included in this service account? Are there multiple types or levels of service accounts that we need? Do we need new permissions? Are new permissions being created for Fulfillment (that would be dependencies to completing this feature)? Are we only allowing viewing or does this service account need edit permissions also?

3Is there a logging or auditing process that we will use to track requests from this service account, or any of these types of service accounts that the administrator creates?

4


Out of Scope

  • Automated notification to external partner that their API Key has been changed

OpenLMIS: the global initiative for powerful LMIS software