Adding URL parameter based on user's attribute - w...

MioYasutake · ‎2022 Apr 13

I have an UI5 app which calls an external user API.

I want to add URL parameter "company" to limit the record displayed to the user for authorization purpose. "company" is determined based on an attribute assigned to the user's role.

However, calling the API directly from the UI is not safe, as the user can get the API URL from the network tab and call the API directly from the browser without company parameter added.

So, the next idea is to create a proxy app that retrieves user's attribute and adds company parameter.

This would work, but creating a proxy app purely for adding an URL parameter seems overkill. Is there a better way to achieve this? For example, can API Management be used for this purpose?

Thanks,

Mio

nicoschoenteich · ‎2022 Apr 22

I recently faced a similar situation and wrote a blog post about the solution I found: https://blogs.sap.com/2022/03/10/ui5-apps-and-api-keys-a-secure-way/comment-page-1/#

abhishekmodi · ‎2022 Apr 13

Hello Mio,

I would prefer to use the term side by side extension for such scenarios. An exact such example is illustrated here - where the log is restricted to viewer roles only. You can refer to the playlist from this blog. I am not sure about your exact scenario, however if you have a custom API then you can modify it in the backend to derive the company code and then restrict the records. But if you are using the standard APIs then the preferred solution would be to implement side by side extension.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Adding URL parameter based on user's attribute - where should this be implemented?

Know the answer?

Need more details?

Accepted Solutions (0)

Answers (2)

Answers (2)