Users, Groups and ACLs for API Identity Management

Identity management is the cornerstone for building a secure infrastructure that uses internal and 3rd party APIs.  By defining users, groups, and access control lists (ACLs), companies can granularly control who gets to use what API-based resource.  In this tutorial, we will configure users, groups and ACLs on Forum Sentry API Gateway for authenticating users and authorizing API access.   Once configured, any token type such as OAuth, SAML, or cookies can be used to present user credentials to Forum Sentry for validation against on-board users.

Forum Sentry API Gateway provides extensive Identity Management capabilities.  Administrators can configure on-board users, groups and ACLs or use off-board, 3rd party identity stores such as LDAP, SiteMinder, RSA Secure ID, IBM TAM, Kerberos. Forum Sentry has native integrations with a variety of identity management systems including the ones listed above.

API-Identity-Add-User-Forum-Sentry

To set onboard users, select ACCESS–>Users from the administrative console as shown above.  You can add users and passwords from this console.  For this tutorial, add four users testuser1, testuser2, testuser3, and testuser4 with the password set as password.

API-Identity-Add-Groups-Forum-Sentry

Now you can add groups by selecting ACCESS–>User Groups in the administrative console.  Add TestGroup1 and TestGroup2 and then associate testuser1, testuser2 with TestGroup1 and testuser3, testuser4 with TestGroup2. As shown above TestGroup1 contains the selected users.

API-Identity-Add-ACL-Forum-SentryBy selecting ACCESS–>UserACLs in the administrative console the screen to add TestACLNarrow and TestACLWide and associate TestUserGroup1 and TestUserGroup2 with TestACLWide and TestGroup1 with TestACLNarrow only.

With User, Groups and ACLs configured you can now provide granular identity management control of your corporate APIs.  Any identity token such as OAuth, cookies, SAML, X.509 can be presented by an external user or systems, and validated against on-board users.  As a general best practice, however, users and groups are maintained in an external identity store such as an LDAP server.