Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Prevent users from running REST API queries

Questions
Tags
Users
Badges
Andre Gusmao
(802640) Mar 23 '15, 11:05 a.m.
Hello,

I'm looking for a way to prevent users from running REST API queries against CCM, QM and RM. What is the best way to go about it? The idea is to have a few users authorized to run REST API queries at predefined times instead of having hundreds of users doing this throughout the day.
I don't think it can be done through settings in the applications, so I'm thinking about implementing a rule in the firewall server. I would block URLs such as "https://<server:port>/ccm/rpt" and make it available only to certain IP addresses.
Any thoughts?

0 votes

Comments
Kevin Ramer
Mar 23 '15, 5:07 p.m.

Are there complaints about performance ?   If not, my opinion is not to worry.  If performance is an issue, efforts to improve the hosting might go further than blocking accesses arbitrarily.

Andre Gusmao
Mar 23 '15, 5:16 p.m.

Kevin, yes we are having issues with performance. This REST API queries are not the root cause, but they do influence the overall load in the server. We have an ongoing initiative to increase resources for the server, but we also need to think about the damage several hundred users could cause if they run long queries.

2 answers
5,286 views
0 votes

2 answers

Permanent link
Paul Slauenwhite
FORUM MODERATOR / JAZZ DEVELOPER (8.4k12) Mar 24 '15, 6:32 a.m.
For RQM, you can disable the Quality Management/XML Export permissions (see https://jazz.net/wiki/bin/view/Main/RqmApi#Permissions) for the user role.

0 votes

Permanent link
Carole Schwarz
(3613) Jul 26 '17, 3:58 p.m.

We desperately need this, too - we've got folks now running bots now which update work items. The potential for users to update 300+ work items in one call is now possible.  Is it possible to block the REST port on WebSphere for everyone except the userIds which are auth'd to use it (i.e. jts_user, etc.)?  I am guessing not due to RTC using REST programmatically?

0 votes

Comments
Andre Gusmao
Jul 26 '17, 4:13 p.m.

The way I solved this was by blocking access from all IPs to URL https://yourserver.com:9443/ccm/rpt, except for a few IPs from users who really need access to the REST API. But I guess this approach only works if your network uses fixed IPs for the workstations.

Donald Nong
Jul 26 '17, 10:24 p.m.

It also depends on what API those "bots" are using - OSLC, REST or internal web service. The first two have distinctive URL patterns so you can easily tell, but the last one will look just like a normal request call from a browser.

1 vote

Carole Schwarz
Jul 27 '17, 7:47 a.m.

Thanks Andre!  Possibly this could work, although I think the few users that should use it may be dynamically assigned IPs; but either way I appreciate your response and insight!

Carole Schwarz
Jul 27 '17, 7:52 a.m.

Thanks Donald, I was afraid of that as well...

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 10,938
× 479

Question asked: Mar 23 '15, 11:05 a.m.

Question was seen: 5,286 times

Last updated: Jul 27 '17, 7:52 a.m.

Confirmation Cancel Confirm