REST API Security

We would like to add some additional security to the REST API for our Jama instance as we work on functionally safe products. This will consist of authorising both the users and applications that can connect to the API individually.

The ideal would be for this to be features in Jama in, we may need to add some cluding
- API key for applications as part of their authentication
- Ability to control which users access each application
- Ability to control which projects an authorised application can access

I'd hope this can be considered as a feature for future development.

In the meantime, we may need to consider adding some sort of authenticated proxy to the REST endpoints. Is the jamabaseurl.com/rest/ location only used by the REST API?

If it is, we could look at locking access to any path containing /rest/ at the start

Thanks

------------------------------
Tim Kerby
Analog Devices
------------------------------

Comments

  • Agreed that additional security on the REST API would be very beneficial.

    For our purpose, being able to define a project level permissions group which only has REST API access would go a long way to addressing our needs.  Similar to what already exists, but with an additional parameter for the REST API (so that the permissions group can have Read and REST to do read only via the API, Author and REST to do edits, Admin and REST to add Releases and similar activities).

    Potentially could be managed through the Admin Permissions screen:

    Mike

    ------------------------------
    A lot of people are afraid of heights. Not me, I'm afraid of widths. ~Steven Wright
    -------------------------------------------------------------------------
    Original Message:
    Sent: 12-06-2016 09:02
    From: Tim Kerby
    Subject: REST API Security

    We would like to add some additional security to the REST API for our Jama instance as we work on functionally safe products. This will consist of authorising both the users and applications that can connect to the API individually.

    The ideal would be for this to be features in Jama in, we may need to add some cluding
    - API key for applications as part of their authentication
    - Ability to control which users access each application
    - Ability to control which projects an authorised application can access

    I'd hope this can be considered as a feature for future development.

    In the meantime, we may need to consider adding some sort of authenticated proxy to the REST endpoints. Is the jamabaseurl.com/rest/ location only used by the REST API?

    If it is, we could look at locking access to any path containing /rest/ at the start

    Thanks

    ------------------------------
    Tim Kerby
    Analog Devices
    ------------------------------




    This is my signature; I hope you like it.