It's all about the answers!

Ask a question

Prevent users from running REST API queries

Andre Gusmao (802640) | asked Mar 23 '15, 11:05 a.m.

I'm looking for a way to prevent users from running REST API queries against CCM, QM and RM. What is the best way to go about it? The idea is to have a few users authorized to run REST API queries at predefined times instead of having hundreds of users doing this throughout the day.
I don't think it can be done through settings in the applications, so I'm thinking about implementing a rule in the firewall server. I would block URLs such as "https://<server:port>/ccm/rpt" and make it available only to certain IP addresses.
Any thoughts?

Kevin Ramer commented Mar 23 '15, 5:07 p.m.

Are there complaints about performance ?   If not, my opinion is not to worry.  If performance is an issue, efforts to improve the hosting might go further than blocking accesses arbitrarily.

Andre Gusmao commented Mar 23 '15, 5:16 p.m.

Kevin, yes we are having issues with performance. This REST API queries are not the root cause, but they do influence the overall load in the server. We have an ongoing initiative to increase resources for the server, but we also need to think about the damage several hundred users could cause if they run long queries.

2 answers

permanent link
Paul Slauenwhite (8.4k12) | answered Mar 24 '15, 6:32 a.m.
For RQM, you can disable the Quality Management/XML Export permissions (see for the user role.

permanent link
Carole Schwarz (3613) | answered Jul 26 '17, 3:58 p.m.

We desperately need this, too - we've got folks now running bots now which update work items. The potential for users to update 300+ work items in one call is now possible.  Is it possible to block the REST port on WebSphere for everyone except the userIds which are auth'd to use it (i.e. jts_user, etc.)?  I am guessing not due to RTC using REST programmatically?

Andre Gusmao commented Jul 26 '17, 4:13 p.m.

The way I solved this was by blocking access from all IPs to URL, except for a few IPs from users who really need access to the REST API. But I guess this approach only works if your network uses fixed IPs for the workstations.

Donald Nong commented Jul 26 '17, 10:24 p.m.

It also depends on what API those "bots" are using - OSLC, REST or internal web service. The first two have distinctive URL patterns so you can easily tell, but the last one will look just like a normal request call from a browser.

Carole Schwarz commented Jul 27 '17, 7:47 a.m.

Thanks Andre!  Possibly this could work, although I think the few users that should use it may be dynamically assigned IPs; but either way I appreciate your response and insight!

Carole Schwarz commented Jul 27 '17, 7:52 a.m.

Thanks Donald, I was afraid of that as well...

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.