Ruleset Example with different access for different API consumer types
In this example scenario we use the Campaign API. Campaign API has the following API operations:
β
The GET /campaign operations is used by a webshop to get active campaigns via the API. The webshop only needs to get the active campaigns and show them to the users. Thus the webshop should not have access to create new campaigns (POST /campaign/create) or to update existing campaigns (PUT /campaign/update).
There is a separate management web UI for managing all the campaigns. The management website needs to access all the API operations of the Campaign API.
Recommended way to setup Rulesets for different API consumer groups
In this kind of use case, it is recommended to setup unique Rulesets for each API consumer group per API.
This is an example Ruleset for the webshop giving access to an API operation and returning a list of campaigns:
β
With the API Key "Webshop / Campaign List / Development API Key" linked to the Ruleset, the webshop now has access to the GET /api/campaign/v1 operation to get the list of active campaigns, but not to any other API operations.
If other new API clients would need to get a list of active campaigns, it is easy to create a separate API Key for example for other websites and link those API Keys to this Ruleset.
The next article is Example on Ruleset for full access to Campaign API