API Rights : Ability to create but not to read

Question

Hi, 
 
 We have a customer who is using a custom made Form to create employees in M-Files using the REST API. 
 While this form needs to be able to write information, it should not be able to use these API credentials to read the same information (fe. Salary information) 
 Is there any way to restrict the API usage to be able to write-and-forget?

Craig Hawker · Answer

The API should respect the permissions on the objects and the rights of the user it's connected as. A combination of using an external user, plus maybe some vault structure permissions, plus maybe some metadata-driven permissions, should be able to give you a pretty granular level of control. Just as with the desktop client: it should be possible to grant permissions that will allow the user to create an object but then not see it. 
 My trick would be to connect using M-Files desktop as the user and test things out before trying things using the API (as the API is often more awkward to test). But definitely also do test using the API. And document what you've done so that someone doesn't accidentally change it in the future.

API Rights : Ability to create but not to read

Top Replies