The M-Files Community will be updated on Tuesday, April 2, 2024 at 10:00 AM EST / 2:00 PM GMT and the update is expected to last for several hours. The site will be unavailable during this time.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

API Rights : Ability to create but not to read

Hi,

We have a customer who is using a custom made Form to create employees in M-Files using the REST API.

While this form needs to be able to write information, it should not be able to use these API credentials to read the same information (fe. Salary information)

Is there any way to restrict the API usage to be able to write-and-forget?

  • The API should respect the permissions on the objects and the rights of the user it's connected as.  A combination of using an external user, plus maybe some vault structure permissions, plus maybe some metadata-driven permissions, should be able to give you a pretty granular level of control.  Just as with the desktop client: it should be possible to grant permissions that will allow the user to create an object but then not see it.

    My trick would be to connect using M-Files desktop as the user and test things out before trying things using the API (as the API is often more awkward to test).  But definitely also do test using the API.  And document what you've done so that someone doesn't accidentally change it in the future.