Adding Security to the Integration APIs

When exposing an Integration Object, you must identify the user authorized to make integration API requests. Additionally, you must grant access permissions for each request type or Integration Object item type based on the user group or user.

These steps in the SAP Commerce Cloud Backoffice configure the authentication type for an Integration Object:

1. Navigate to SAP Commerce Cloud Backoffice, and log on as an administrator.
2. Choose Integration UI Tool from the Cockpit dropdown menu on the top-left corner.
3. Expand Integration APIs menu items, and choose Authentication.
4. Choose InboundProduct from the Integration Object list view or table on the right side. This is just an example. You can check the other integration objects like InboundB2BUnit, InboundB2BCustomer, InboundPriceRow, and so on, as well. These integration objects are imported in the system initialization or update process.
   
5. In the editor area, at the bottom of the screen, you’ll see the default authentication type is preconfigured as Basic when the integration objects are imported or created during the system initialization or update. That means a username and password would be required to call the Integration APIs from the client applications.
   Note

   Since the out-of-the-box integration flows or iFlows deployed in the SAP Cloud Integration tenant use Basic as the default authentication type, you can stick to Basic in the course. You can choose OAuth2 from the Authentication Type dropdown. In this case, a client ID and client secret would be required to generate an access token to call the Integration API.

As you’ll be using the Basic authentication type for the Integration APIs, you need to set up, or configure, a username and password with the required permissions in SAP Commerce Cloud.

You can use the out-of-the-box integrationservicetestuser employee user to call the integration API endpoints, but you can create a new Employee user and assign the user required user groups or permissions.

The integrationservicetestuserEmployee user belongs to the integrationservicegroup and integrationadmingroup user groups, which give the user access to integration API authorization.

Integration Object authorizations will be assigned to the integrationservicegroup or integrationadmingroup user group.

To configure the integration user, or user group, authorization for an Integration Object, follow these steps in the SAP Commerce Cloud Backoffice.

1. Navigate to SAP Commerce Cloud Backoffice, and log on as an administrator.
2. Choose Integration UI Tool from the Cockpit dropdown menu on the top-left corner.
3. Expand Integration APIs menu items, and choose Authorization.
4. Choose InboundProduct from the integration object dropdown on the top. On the left side, under the integration object dropdown, you’ll see the item types included in the current integration object. In this case, the InboundProduct object contains, or depends on, the Catalog, Category, PriceRow, Unit, and so on, item types as object attributes. These item type attributes are designed in the Integration Object Modeling tool.
5. Choose an item type on the left side, for example, Category. You’ll see the user or user group permission already assigned to the current item type.
   
6. Go through the list to find the user, or the user group, that you want to assign permissions to. You can use the search box on the top to quickly find the target user group. In this case, you want to assign the Read, Change, and Create permissions to the integrationadmingroup user group, which contains the integrationservicetestuserEmployee user.
   

   And if the target user group like integrationadmingroup is not in the list, you can manually add it by choosing the plus (+) button and entering the user group name. From the dropdown list, choose the target user group to add it to the list.

   

   Once the target user group is in the list, you can toggle the permission buttons on the right side to either grant or deny the permission. A green check means the permission is explicitly given, while a red cross means the permission is explicitly removed. The gray checks or crosses are the permissions inherited from the parent user group.