Tech Blog

Working with API Restriction Profiles

See also APIs – Using API Restriction Profiles.pptx

 

There are cases in which institutions give an API key to a third party, in order to allow them to submit APIs. For example, institutions that use Real Time Ordering integration give an API key to a vendor (e.g. ProQuest) in order to create PO-lines.

In a situation such as this, we would like to limit the third party,  to make sure they do not use the API key for other purposes. This is where an “API Restrictions” profile should be created in Alma: This profile defines a set of restrictions that would be verified before performing the API request.

Currently “API restrictions” are relevant only for Fulfilment and Acquisitions APIs.

The following steps should be done in order to add restrictions:

  1. Create an “API Restrictions” profile in Alma
  2. Assign the profile to an API key

Create an “API Restrictions” profile in Alma

This is an integration profile of the “API Restrictions” type.

Currently, it is possible to define the following restrictions:

  • Vendor – when submitting APIs, the defined vendor code must be the vendor code used for the API. For example, if the defined vendor is ABC, then only PO lines with this vendor code in the payload will be created. It will not be possible to create orders for different vendors.
  • Fund view – defines whether the GET funds API should return sensitive information such as balance.
  • [New for Dec 2021] Libraries – one or more libraries which the Fulfilment APIs will be limited to: Requests, loans, Resource Sharing requests, Fine & Fees.

Assign the profile to an API key

This is done as part of the API keys management – in Developer Network:

Note that the information that should be placed in the “Restrictions Profile” field is the profile code.

 

The following diagram illustrates the workflow:

Leave a Reply