Email Templates

Below are 2 emails:

  • The first email contains text from the Registrar's Office explaining why Protected Student Data API are not approved for Student Applications.
  • The second email contains text for applications which aren't requesting Protected Student Data, and the API Gateway Team is waiting for an API Access Request to be submitted.

(Registrar's Statement) An application has requested access to Protected Student Data APIs

Sample Subject

API Developer Portal - <application name> application

Sample Email

Hello <First Last>,

Thank you for your interest in the UCSB API Developer Portal. It looks like you signed up the <application name> application for access to APIs which provide Protected Student Data.

UCSB must ensure that security best practices are being followed and have auditable evidence that the campus' student data is being used appropriately and securely.

To confirm that student-developed applications are following security best practices and that the campus' student data is being used appropriately and securely, regular security reviews must be performed by the Campus API Gateway Team.

Due to the resourcing limitations of the Campus API Gateway Team to perform these security reviews, UCSB has no way to ensure that security best practices are being followed and verify that the campus' student data is being used appropriately and securely; therefore, UCSB cannot grant access to confidential student information for any student-developed applications.

All Auto-Approved APIs for this application have been approved. Unfortunately, we will not be able to approve the other APIs.

API Gateway Team

An application has requested Approval Required APIs that don't contain Protected Student Data and an Access Approval Request hasn't been submitted.

Sample Subject

API Developer Portal - <application name> application

Sample Email

Hello <First Last>,

Thank you for your interest in the UCSB API Developer Portal. It looks like you signed up the <application name> application for access to some of the Access Approval Required APIs.

If you are developing an application to use those protected APIs, you’ll need to read through the Student Developed Application Guidelines and then request access through an API Access Request. For the moment, I’m going to set the <application name> access requests to denied until the access approval process has had a chance to take place.

Please let me know if an Access Request has already been made and I just missed it.

API Gateway Team

Background

On occasion, students will request access to an API that requires approval. More often than not, they were unaware that the API required approval or are unaware of the process to request approval (Student Developed Application Guidelines).

Over the years, the amount of time needed to security review the Student Applications became greater than the amount of resources the API Gateway Team had, and on 3/21/2024 a decision was made to only provide access to Auto-Approved APIs for Student Data.

There are 4 known categories of requests from student applications, and here is the guidance for processing them:

  1. The application is only requesting Auto-Approved APIs.

The student doesn't actually need to send over a request on these; but it's nice that they do. The API Gateway Admin can approve this Access request through the workflow and leave a note that Business Approval was not required because only Auto-Approved APIs were requested. (Auto-Approved APIs are approved automatically by an automated system; so the Developer already has access to those APIs by the time the API Gateway Admin processes the Access request.)

  1. The application requests a mix of Auto-Approved and Approval Required Student APIs.

This is the most common scenario from Computer Science students. Unfortunately, the workload to ensure security reviews of these applications is greater than the API Gateway Team has resources to provide. As such, the Registrar's Office has provide a statement which explains the situation (above). The Registrar's text should be sent back to the requestor and the Access Approval Required APIs should be denied. The API Gateway Admin can move the request through the workflow process and leave a note that only Auto-Approved APIs are approved for Student Applications.

  1. The application requests every API.

This can happen when the requester is frustrated or confused on what to do. In this scenario, they should be approved for the Auto-Approved APIs but all Access Approval Required APIs should be denied. The API Gateway Admin can move the request through the workflow process and leave a note that only Auto-Approved APIs were approved for the application.

  1. The application requests a mix of Auto-Approved APIs and some non-Student Data Access Approval Required APIs.

This is rare, but the request should be handled through the normal workflow with routing to Business Approvers.