This is a guide meant to help API Gateway Administrators process API Access Requests through the API Access Request workflow.
Initial Review
When a request comes in, members of the API Gateway Team will be notified through an email to support@developer.ucsb.edu. Any member can take a look at the request and assign a Gateway Admin and a Business Approver.
- Assign a Gateway Admin by filling in For Admin Use > Gateway Admin Name and Gateway Admin Email.
- Assign a Business Approver by filling in For Admin Use > Approving Department, Business Access Approver Name and Business Access Approver Email.
- If the application is requesting access to APIs that require approval by different departments, add the additional approvers to the Other Business Access Approvers section. Please include name and email address.
- After setting the Gateway Admin and Business Approver, set the API Access Request Workflow to Admins Assigned.
Determining an Admin and a Business Approver to Assign by API
Usually, the person responding to initial email is someone that might know something about the application requesting access, so they will assign themselves to process the request.
However, if you do not know anything about the application requesting access, take a look at the API Access Request and see what APIs are being requested (Requested APIs (Include Data Elements) and Specific Data Needs section). You can navigate to the API Access Requests and review the specific API Access Request for the application you are reviewing.
For each requested API find the specific API Publishing Request in API Publishing Requests and determine the Gateway Admin and Business Approver. Alternatively, for some APIs, you can check the API Product definitions in Apigee Edge Portal to determine the Originating System and Gateway Admin of each API.
Admins Assigned
An email will be sent to the assigned Admin.
The assigned Gateway Admin will review the request. If they determine that not enough information has been collected for the Business Approver to make a well-informed decision, then the Gateway Admin should reach out to the application owner and ask for more information or clarification to be provided. If more information is needed, set the API Access Request Workflow to In Technical Review Initial. Once all information has been collected, set the workflow to Business Review to send the request to the Business Approver.
Some key information to look for:
- Application Name - This should match the display name of the application within the API Gateway. To determine if the application is registered in the system, use apibot's
@apibot apps search <application name>
. Feel free to change the application name if it doesn't match up with the application display name. Please be advised that the command takes a single word and cannot contain spaces in the application name. - Developer Portal Account - This should be the email address of the account that "owns" the application. Use apibot's
@apibot apps search <application name>
to find the owners email address. - Application Description - Ensure that you can follow along with what is being described. Feel free to correct grammar/spelling errors if you feel it doesn't change what is being described.
- Requested APIs (Include Data Elements) and Specific Data Needs - If the description of the application doesn't match up with the APIs being requested, you are encouraged to reach out to the application owner and ask why particular APIs are being requested. However, if you are not sure if the API is needed, feel free to defer judgment to the Business Approver to determine if an API is actually needed (when they review the application).
- Application Authentication & Security - Ensure that there is a description of how the data is meant to be handled, what security mechanisms are being applied, and how data is stored (if it is stored). At this point, we would only want to ask for more information and not ask for anything to be implemented nor put any demands on the client application. Once the Business Approvers review the request, they will determine what APIs will actually be approved for usage (which can really cut down on the security requirements). The Business Approvers may ask for special handling of data for certain APIs. After the Business Approvers give approval, and the request goes back for the second round of technical review; that’s the point where a Gateway Admin can really start to understand the details about the security that will need to be implemented.
In Technical Review Initial
Use this state to gather more information from the application developer before you submit it to the Business Approver. Once all information has been collected, set the workflow to Business Review to send the request to the Business Approver.
Business Review
The Business Approver receives an email when the workflow is set to Business Review. If more information is needed, the Business Approver can set the workflow state to Pending More Info Business and contact the developer or business contact for the application to gather more information. Once all information has been collected, the Business Approver will set the workflow to Business Approved to send the request back to the Gateway Admin for processing. The Business Approver can deny the request by setting the workflow state to Business Denied.
What to do if multiple departments have to approve access to APIs?
- Add the second Business Approver information to Approving Department, Business Access Request Approver Name, and Business Access Request Approver Email. Make sure you copy the first business approver information in the Other Business Approvers section to not lose the data.
- Set the workflow state to Business Review
- Save the document. That will email the second Business Approver to take action.
- Alternately you can set the state to Business Review and email the link to the second Business Approver and ask them to take action. The system will keep a log of all actions.
Business Approved
Once the Business Approver has approved the access, the Gateway Admin can grant the access.
- Ask the application developer to create an App in the Developer Portal's My Apps section and request access to the agreed upon APIs if they haven't done so.
- Enter the Gateway Application Name in the For Admin Use section of the document. The actual name can be found in the gateway in the Publish/Apps section. An example would be "dining-common-traffic". This name will be used as we build automatons. You can also use apibot's
@apibot apps search <application name>
. Please be advised that the command takes a single word and cannot contain spaces in the application name. - Grant access to the requested APIs in the gateway.
- Set the workflow status to Access Approved by Admin.
- The Gateway Admin can deny the access by setting the workflow to Access Denied if there are any concerns with the technical implementation of the application.
Granting Access to APIs
- Use @apibot apps approve to grant access.
- You can use @apibot help approve to get the exact syntax for the specific case.
- First make sure you have Apigee role by executing @apibot @yourslackid has apigee role
- Or login to the Apigee Gateway and navigate to Publish > Apps, edit the app and approve the API access.