- The organisation API operates with organisation admin privileges on behalf of an organisation that can create and manage collaborations
- A user can create a token to use with a specific application, which the application can introspect to authenticate and authorize the user
- An application can use SCIM, either as a client or a server (please refer to the documentation), to be provisioned with collaborations and member information for collaborations connected to that application
- A CLI application can use PAM web login to authenticate users' SRAM identity.
Token nomenclature
| API | Token name (English) | Token name (Dutch) |
|---|---|---|
organisation API token | organisatie-API-token | |
User token introspection (member perspective) | application token | applicatietoken |
User token introspection (application admin perspective) | user introspection token | user introspection token |
SCIM server | SCIM token | SCIM token |
SCIM client | SCIM token | SCIM token |
PAM web login token | PAM web login token |
Unit-Scoped Tokens (Organisation API)
Overview
Traditionally, Organisation API tokens in SRAM were scoped to the entire organisation, granting access to all resources within that organisation. To enhance security and provide more granular access control, SRAM has introduced Unit-Scoped Tokens. These tokens allow Organisation Administrators (Org Admins) to generate Organisation API tokens that are limited to specific units within their organisation.
Use Cases
1. Delegated Management: Organisations with Unit Managers who need to programmatically manage collaborations can be granted Organisation API access restricted to their respective units, ensuring they only manage resources pertinent to their unit.
2. Application-Specific Access: Organisations can provide application owners the ability to manage collaborations without granting them access to all collaborations within the organisation. By creating units and assigning collaborations to these units, Org Admins can generate tokens scoped to these units, limiting the application's access accordingly.
How to Generate a Unit-Scoped Token
Org Admins can generate Unit-Scoped Organisation API Tokens through the SRAM interface by selecting the desired units during the token creation process. These tokens inherit the permissions associated with the specified units, ensuring that API operations performed with the token are confined to the resources within those units.
An example of the interface for generating tokens is below. Note: the displayed token in the image below is only an example and will not actually work.
