问题
I'll be so gratefull if you can help me with the following question: I´m resticting the access to use an API in APIM using groups, but I want to restrict even its operations for example: I have an API in APIM with the following operations:
- OperationA
- OperationB
- OperationC
And the following groups of users:
- Group1
- Group2
- Group3
so the idea is to give access to the groups according some business rules for instance:
- Group1 (OperationA, OperationB)
- Group2 (OperationA)
- Group2 (OperationA,OperationB,OperationC).
Is there a way to implement this behavior? Thank you so much
回答1:
Only possible via policy expressions. Use choose policy and check which groups current user is a member of (context.User.Groups) and if you don't see one you need - use return-response to stop request processing.
回答2:
In the operations inbound policy you could add something like this:
<choose>
<when condition="@(context.User.Groups.Contains(g => g.name == "Group1"))">
<return-response>
<set-status code="403" reason="Unauthorized" />
<set-body>Users in group Group1 do not have access to this method. </set-body>
</return-response>
</when>
</choose>
These are the pieces of documentation I referenced to come up with this result:
- How to set up a conditional policy: https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#choose
- How to access the Group Name from the policy: https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables
- How to return the response: https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#ReturnResponse
This would make it so any user who belongs to Group1 would receive a response of "Users in group Group1 do not have access to this method." anytime they made a request to this API operation. If you add this to the inbound policy for the API the users in Group1 would be blocked from making calls to any operation in the API.
来源:https://stackoverflow.com/questions/52173211/how-can-i-restrict-the-use-of-operations-in-azure-api-management-apim-per-user