23.12.2019
Authors:

WSO2 API Management: Permissions Model, Authorization, Analytics and API Life Cycle

API Management Solutions are elements of a mature integration architecture. They provide API management functionalities for all interested parties (developers, administrators, consumers). In this article, I will briefly present a solution that we use for this purpose in Unity – WSO2 API Manager.

API Management and approaches to it

First, I’ll present how API management is defined and the elements comprising it:

  • sharing the API catalog – a place (website) where the API can be viewed, checked, evaluated, etc.,
  • API life cycle management – creating, prototyping, publishing or disabling the API,
  • load-balancing,
  • API access limitation – determining who and on what terms will have access to specific resources,
  • monitoring and analytical dashboards showing e.g. statistics on the use of the API,
  • API security (authentication and authorization).

Of course, these functionalities can also be implemented in a different way using certain programming frameworks/libraries (e.g. Spring Boot, Swagger) or additional tools (e.g. Nginx, Prometheus). By using these types of elements, most of the basic functionalities can be implemented with little effort. Using the (example) tools/frameworks usually does not require the acquisition of additional knowledge by programmers or DevOps teams (as a rule, they are still used for other purposes).

Each of the approaches (dedicated API Management solution and programming tools/frameworks) has its specific features. The advantages of API Management are evident when you look at the API from the perspective of the entire organization. Then it becomes important that our APIs are shared, monitored and secured in a uniform and fast way. In addition, API Management solutions, dedicated to this purpose, provide several advanced functions. Their implementation is no trivial matter. If we add to this the constantly growing popularity of API, as well as the extension of selected API Management solutions, it comes as no surprise that they make up an increasingly frequent element of IT architecture in organizations.

API Management solutions are used both to publish APIs within an organization (in local networks) and to make them publicly available on the Internet. Publishing an API outside the organization is perfectly understandable, not only due to the automation of data exchange with partners but also to such concepts as commercialization (monetization) of the API. However, internal APIs are equally important. They are used by cooperating development teams, and work can be accelerated when there is a unified mode and place for sharing them. This is of increasing significance because of the growing importance and popularity of microservice architectures.

WSO2 API Management characteristics

A full description of the solution can be found on the product’s website. In this section I’ll briefly present its characteristics, with attention paid to the most important and most interesting issues.

API Management and role and permissions model

WSO2 API Management provides 4 basic consoles (websites) enabling the execution of individual operations:

  • / carbon – a management console that allows you to add and modify roles and users, configure the Manager API and monitor technical metrics (e.g. from JVM),
  • / publisher – a console that allows you to publish the API and view basic statistical data,
  • / admin – a console that allows you to configure elements related to published APIs (e.g. custom access restrictions, alerts),
  • / store – console presenting published API (endpoints, swagger console enabling testing, documentation, SDK) and allowing to subscribe to them.

The role and authorization model is quite extensive and allows you to create roles (and assign users to them) entitling you to selected actions (about 100 different rights). This means you can create separate roles to view statistics, publish APIs, manage the server, use the API, etc.

Authorization/limitation of API access

Access to the API is secured at many levels. The first of these is authorization, which is most often implemented (in production solutions) through OAuth2 or SAML tokens. There are more possibilities, and details can be found on product’s website. Using OAuth2 scopes also allows you to block access to selected methods of a given API.

One element that should be given consideration in this respect is limitation or throttling. It allows you to limit requests sent to the API. These restrictions may apply to both the number of requests and the size of the data sent from/to the API (e.g. in KB). The entire API may be subject to limitation or only its selected methods (e.g. to protect the backend system against excessive loads). You can also limit access for selected users (e.g. by subscription level). The ability to set limits at many levels gives you great flexibility in terms of protection against excessive use of the API.

Analytics

API statistics are available by default – however, they require the installation of a dedicated module (API Management Analytics or Analytics & Stream Processing). Basic charts show information such as the number of requests sent to the API by individual clients over time, the number of unsuccessful queries, published APIs, and subscribed users.

An additional option is to use a dedicated portal that allows you to prepare dedicated dashboards and charts for individual users. It should be mentioned here that the analytical module is based on a stream processing. This allows full freedom in what happens to analytical data published to streams. In the simplest case, they can be saved to an external database and further “processed” using other analytical tools (e.g. Power BI). In a more complicated scenario, you can search for streams of certain anomalies and prepare an alert mechanism (e.g. e-mail) regarding, for example, capture of unwanted use of the API.

API life cycle

The API life cycle is particularly important when it is used by many clients. Any change to the API can affect and force a modification on the side of client systems and applications. Therefore, whenever you modify the API, you should consider whether it should be done through alteration or, for example, by releasing a new version. Similarly, depreciation, blocking and disabling the API should always be done with caution. WSO2 API Management supports API life cycle management at all the stages mentioned above.

Summary

In the face of progressing digitization and integration of IT solutions, as well as changing approaches to software construction (microservices), the importance of API is constantly growing. Appropriate API management is therefore extremely important. One of the ways to handle this task is an API Management solution that enables uniform sharing, securing and monitoring of the API. WSO2 API Management stands out in this class of solutions which, in addition to its complete and expandable set of functionalities, is fully available under an open-source license.

Our Experts
/ Knowledge Shared

Ilustracja przedstawiająca robota reprezentującego sztuczną inteligencję, otoczonego symbolami wyzwań i błędów w sztucznej inteligencji. Obraz zawiera pomarańczowy mózg, zepsutą żarówkę i cyfrowe piksele, symbolizujące dane i zagrożenia etyczne związane z awariami sztucznej inteligencji
30.10.2024

The Complex World of AI Failures / When Artificial Intelligence Goes Terribly Wrong

Artificial Intelligence

AI has revolutionized industries, offering impressive capabilities in efficiency, speed, and innovation. However, as AI systems become more integrated into business operations, it becomes evident that these tools are not without flaws. From minor glitches to significant ethical issues, AI failures highlight the fragility of these systems. Businesses must...

AI w optymalizacji łańcucha dostaw materiałów budowlanych
28.10.2024

Application of Artificial Intelligence in Optimizing the Supply Chain of Building Materials

Artificial Intelligence

Can artificial intelligence revolutionize the management of building materials supply chains? Learn how AI can help optimize demand forecasting, manage orders and inventory, minimize risks, and personalize customer offerings. Discover the future of AI in the construction industry. The supply chain in the building materials industry is a complex and...

08.10.2024

Magento Open Source vs. Adobe Commerce / Which E-Commerce Solution Fits Your Business Needs? 

E-Commerce

Choosing the right e-commerce platform is a key decision that can determine the success of your online business. Magento Open Source and Adobe Commerce are two popular solutions that offer different capabilities tailored to the needs of companies. While Magento Open Source is a flexible open-source platform, ideal for smaller companies, Adobe Commerce...

Expert Knowledge
For Your Business

As you can see, we've gained a lot of knowledge over the years - and we love to share! Let's talk about how we can help you.

Contact us

<dialogue.opened>