Skip Navigation
Expand
Collapse
Submit a Service Request
Contact Information for Technical Support

My Service Notifications
Enforcing profile permissions on SOAP and REST API calls
Answer ID 7156   |   Last Review Date 07/11/2023

How can I make sure the profile permissions are enforced for an account's SOAP and REST API calls?

Environment:

Oracle B2C Service
May 2013 and newer

Resolution:

There is a hidden configuration setting which maps profile permissions to SOAP and REST API permissions:

SERVER_ACCESS_CONTROL_ENABLED
-  This setting specifies whether server-side access control enforcement is enabled.
-  This setting is enabled by default for all new sites, but is disabled on some older sites.

If this setting is enabled and the user does not have access or permission to a specific object as configured in their profile (example:  incidents), they will not be able to make a SOAP or REST request on the object.  The profile permissions for the account are also enforced.  For example, if the profile for the API account does not have Delete permissions for incidents, the DELETE REST request will fail with a 403 http status code and a message that indicates 'Not Allowed: No permission granted to Destroy Incident'. 

As this setting is hidden, if you would like it to be enabled submit a service request to Ask Technical Support, but please take these facts into consideration before doing so:

1. It will affect all your current integrations
2. Once enabled, it cannot be disabled
 

It is highly recommended that you test its implications on a test site before enabling it on your production site.

Was this answer helpful?

Still have questions?

Notify Me
Forgot your username or password?
The page will refresh upon submission. Any pending input will be lost.