API Keys
Goals/Scope
We need a way for an Administrator to create a special type of User which:
- is for a system such as ColdTrace to use our API
- doesn’t have a password (uses system generated web token)
- ability to generate new API Key
- has basic permissions which are essentially Administrator type privileges to things like: Admin CCE, Admin Requisition etc.
We want to leverage our existing RBAC as much as possible for this. The screens however will have some significant differences from our current person-oriented screens.
Background
Assumptions
User Stories
| # | Title | User Story | Label | Importance | Jira ticket |
|---|---|---|---|---|---|
| 1 | Manage API keys | As an administrator I need to manage API keys so that an external partner can access OpenLMIS. Acceptance Criteria:
| Must Have |
| |
| 2 | Manage multiple partners' API keys | As an administrator I want to assign API keys to different external partners who access OpenLMIS. Acceptance Criteria:
| Nice to Have |
Diagrams
Dependencies
| Description | Link |
|---|---|
Open Questions
Below is a list of questions to be addressed as a result of this requirements document:
| # | Question | Outcome | Status |
|---|---|---|---|
| 1 | Should this process support the admin setting up a username for any new system that requests access? | ||
| 2 | What types of permissions will be included in this service account? Are there multiple types or levels of service accounts that we need? Do we need new permissions? Are new permissions being created for Fulfillment (that would be dependencies to completing this feature)? Are we only allowing viewing or does this service account need edit permissions also? | ||
| 3 | Is there a logging or auditing process that we will use to track requests from this service account, or any of these types of service accounts that the administrator creates? | ||
| 4 |
Out of Scope
- Automated notification to external partner that their API Key has been changed
OpenLMIS: the global initiative for powerful LMIS software