How is the authentication and user privileges managed for SOAP API?
Connect Web Services for SOAP (CWS) API
You can authenticate with SAML 2.0 (single sign-on) or with account passwords.
Authenticating with SAML 2.0 (single sign-on) : SAML-based authentication allows client applications to authenticate--on behalf of agents--using SAML 2.0 tokens to achieve single sign-on capabilities. For additional information about single sign-on with Oracle B2C Service, refer to the 'SAML 2.0 Open Login' section in online documentation for the version your site is currently running. To access Oracle B2C Service manuals and documentation online, refer to the Documentation for Oracle B2C Service Products.
If you are not using SAML 2.0 authentication when invoking Connect Web Services for SOAP operations, refer to Authentication with account passwords.
Authenticating with Account passwords: When the API receives a request a series of access control measures are enforced. First, the site configuration is checked to ensure the API has been enabled at a site level. Second, the user credentials supplied in the request are validated. Third, the profile for the supplied account is checked to ensure the correct profile bit is enabled. Client applications must supply username and password credentials with every request.
User permissions for different areas (incidents, answers, contacts etc) of the product are granular and based on the profile level access within Oracle B2C Service for a specific user.
Beginning with the May 2013 sites, The configuration setting SEC_PAPI_INTEG_HOSTS_SOAP has been added. This configuration setting defines which hosts are allowed to access the SOAP interface. Valid entries include a comma-separated list of domain names with wildcards, specific IP addresses or IP subnet masks (for example, *.rightnow.com, 22.214.171.124, 10.11.12.0/255.255.255.0). Only users logging in from hosts matching entries in this list are allowed access to the SOAP interface. Default is blank. Refer to Site Configuration.
For more the entire Connect Web Services for SOAP API documentation, refer to Answer ID 5169: Technical Documentation and Sample Code.