Configure access claims using Smart API Manager - Intergraph Smart 3D Web API - Installation & Upgrade - Hexagon PPM

Intergraph Smart 3D and Smart 3D Admin Web API Installation and Configuration

Language
English
Product
Intergraph Smart 3D Web API
Subproduct
Smart 3D Web APIs
Search by Category
Installation & Upgrade
Smart 3D Version
13

After you've granted Modify permissions to web server files in IIS, you continue with configuring access claims. Follow these steps if you're using Smart API Manager. And for more help, see the Intergraph Smart API Manager help.

SHARED Tip If you're using a different API manager, see the topic Configure access claims using a third-party API manager.

Add the Smart Client to Smart API Manager

  1. Navigate to the Intergraph Smart API Manager Dashboard Manager website.

  2. Sign in using an administrator account.

  3. Add a new Smart Clients entry for each client that accesses the API.

  4. Make a note of the secret and the Client ID because you will need them later when fetching a token.

Add one or more groups

Groups are used to grant read access to users on a per plant basis. A group definition consists of External Identities and SAM Users that are part of the group.

When a group is authorized in the API, it gives access to the members. Note that for the Smart 3D API, these are the members for a given set of plants.

Write access is controlled by the standard Smart 3D access control functionality and only Windows Active Directory users/groups can have write access. One exception to the Windows Active Directory requirement is for Smart 3D permission groups that grant access to Everyone, they allow modifications even by non-Windows Active Directory users. You need to add one or more groups depending upon the number of users, number of plants, and how finely access is controlled.

To add a group:

  1. Create and name the group.

  2. Define the External Identities and Users that are part of the group.

  3. In the Smart APIs section, locate the entry that was created when you configured the web server in the configuration tool. This entry has a product value of S3D and its URL value matches the value you entered in the configuration tool. Select the entry.

  4. Note its Resource Identifier for future use when fetching a token.

Add Supported Claim Types to the Smart API

  1. In the Smart APIs section, locate the Manager Supported Claim Types area.

  2. Add the appropriate claim type for the web API you're configuring if one does not exist.

    • For Smart 3D - add the Access claim type.

    • For Smart 3D Admin - add the SiteCreatorAccess, SiteReadAccess, and SiteWriteAccess claim types.

  3. Set the values for each claim type.


    Value

    Claim Type for the Smart 3D Web API

    Claim Types for the
    Smart 3D Admin Web API

    Name

    Access

    SiteCreatorAccess

    SiteReadAccess

    SiteWriteAccess

    User Name

    Plant Access

    Site creator access

    Read access to site

    Write access to site

    Type

    String

    Enum

    String

    String

    Values

    --

    Grant

    --

    --

    Required

    Checked

    Unique

    Checked

    Checked

Authorize the groups

  1. In the Manage Authorized Groups section, click Add Group.

  2. Select the group and add the claim.

    • For the Smart 3D Web API, add a Plant Access claim for each plant in the Smart 3D site to which the group will have at least read access.

      You need to type the names of the plants so have a list available.

      Prefix the site name to the plant name using the syntax SiteName:PlantName. Use the “*” character as a wildcard to give access to multiple plants. For example, access to all plants can be given by giving a plant name of *.

      Repeat this for each existing Group that accesses one or more plants in the Smart 3D Site.

    • For the Smart 3D Admin Web API, add the claims as follows:

      • SiteCreatorAccess - Add this claim if the user is intended to do the actions “CreateSite”, “RestoreSite”, or “EnableSite”.

      • SiteReadAccess - Add this claim for each sitealias on which the user will have read access on the site. The user will have read access on all entities and can perform a GET operation.

      • SiteWriteAcess - Add this claim for each sitealias on which the user will have write access on the site. The user can perform PATCH, PUT, POST, and DELETE operations. Also, this user is allowed to perform all actions except for those actions that only the SiteCreatorAccess claim allows users to do.

        SHARED Tip For both the SiteReadAccess and SiteWriteAccess claims, use the “*” character as a wildcard to give access to multiple sites. For example, to give access to all sites, give a site alias name of *.

You're done with configuring access claims! Now, move on to configuring app settings.