It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Follow this question
Question details

×11,924
×10,908
×231

question asked: Feb 04 '14, 3:56 p.m.
question was seen: 4,088 times
last updated: Feb 05 '14, 12:03 p.m.

Related questions

FAQ - How this Forum works

RQM v4.0.2 How To Restrict The Use Of API To Prevent Misuse?

0
Li Chen (11923742) | asked Feb 04 '14, 3:56 p.m.

Our users are allowed to run reports or load artifacts using the utilities written by our team (RQM Admin Team). But some end users with programming background wrote their own scripts by calling API, they pulled and uploaded, and this becomes a big risk for us as they can delete, they can consume a lot of resources and etc.

What should we do to prevent users running their own scripts? or what should we do to prevent users directly (not using RQM user interface) access database?

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Vidya Malkarnekar (1.0k15) | answered Feb 05 '14, 9:52 a.m.
JAZZ DEVELOPER
Hi Li,

You can  restrict API POST/PUT calls using  XML Import permission at project level.
For more information, check out https://jazz.net/wiki/bin/view/Main/RqmApi#Permissions 
XML Export is supposed to control GET calls, but looks like there is an existing defect with that permission not being honored currently.

-Vidya
Comments
Li Chen commented Feb 05 '14, 10:08 a.m.

Thanks Vidya,

If I do not allow a user to API upload test case, that means he can't upload even if he uses the scripts written by me, right? If this is the case, this is not what I want.

Some users have been writting/testing/debugging their own scripts on production without letting us know. This is a big risk for us. I once wrote a script to delete a user but when I tested it I deleted all users. Luckily I knew how to get them back, but not every user knew how to recover from their mistake. Currently we only knew they were doing things like that when they approached us and told us they encountered a problem and  they need us to help out, and every time when this happened, we got shocked because of the risk.

Vidya Malkarnekar commented Feb 05 '14, 12:03 p.m.
JAZZ DEVELOPER

Right,  the users won't be able to update artifacts using API calls in any script with their user id  if not having  XML Import permission. I misunderstood your original question. I can't think of a way to prevent users  from running only selective scripts as per your requirement.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.