Working with API Restriction Profiles
There are cases in which institutions give an API key to a third party, in order to allow them to submit APIs. For examples, institutions that use Real Time Ordering integration give an API key to a vendor (e.g. ProQuest) in order to create po lines.
In a situation like this we would like to limit the third party, to make sure they do not use the API key for other purposes. This is where an “API Restrictions” profile should be created in Alma: This profile defines a set of restrictions that should be done before performing an API.
Currently “API restrictions” are relevant only for Acquisitions APIs.
The following steps should be done in order to add restrictions:
- Create an “API Restrictions” profile in Alma
- Assign the profile to an API key
Create an “API Restrictions” profile in Alma
This is an integration profile of “API Restrictions” type.
Currently it is possible to define the following restrictions:
- Vendor – when submitting APIs, the defined vendor code must be the vendor code used for the API. For example, if the defined vendor is ABC, then only PO lines with this vendor code in the payload will be created. It will not be possible to create orders for different vendors.
- Fund view – defines whether the GET funds API should return sensitive information such as balance.
Assign the profile to an API key
This is done as part of the API keys management – in Developer Network:
Note that the information that should be placed in the “Restrictions Profile” field is the profile code.
The following diagram illustrates the workflow: