LinkedIn
Copied!

Security Settings for DX API

Secure access to your DX API endpoints by learning about authentication settings and access role privileges.

Authentication settings for Service Package

To authenticate DX API endpoints, configure the authentication settings through the api service package.

For more information about service packages, see About Service Package data instances.

The following types of authentication are available for a service package:

  • Basic
  • OAuth 2.0
  • Custom

For more information about the types of authentication, see Service Package form - Completing the Context tab.

Edit Service Package - Context tab
Edit Service Package - Context tab

To access endpoints more securely, use OAuth 2.0 as the authentication type.

To configure OAuth 2.0, see the following articles:

Access role privileges

Every endpoint is mapped to a privilege. You can provide users with specific privileges so that they can perform the actions associated with the corresponding endpoints.

The privileges are included with the PegaRULES:PegaAPI access role. By default, this role is available only to the Administrator and Author access groups. To grant a user access to the DX API, add the PegaRULES:PegaAPI access role to the user's access group.

The following table depicts the endpoints that correspond to each privilege.

HTTP Method

Endpoint

Privilege

POST

api/v1/cases

pxCreateCase

GET

api/v1/assignments/{ID}/actions/{actionID}

pxGetAssignments

 

PUT

api/v1/assignments/{ID}/actions/{actionID}/refresh

GET

api/v1/assignments

GET

api/v1/assignments/{id}

GET

api/v1/spaces

GET

api/v1/notifications

GET

api/v1/casetypes/{ID}

pxGetCaseTypes

PUT

api/v1/casetypes/{ID}/refresh

GET

api/v1/casetypes

GET

api/v1/cases/{ID}/actions/{actionID}

pxGetCases

PUT

api/v1/cases/{ID}/actions/{actionID}/refresh

GET

api/v1/cases

GET

api/v1/cases/{id}

GET

api/v1/cases/{ID}/pages/{pageID}

GET

api/v1/cases/{ID}/views/{viewID}

GET

api/v1/data/{id}

pxGetDataPage

GET

api/v1/data/{id}/{metadata}

POST

api/v1/assignments/{id}

pxPerformAssignment

PUT

api/v1/cases

pxUpdateCase

PUT

api/v1/cases/{id}

GET

api/v1/applications

pxGetApplications

POST

api/v1/messages

pxCreatePulse

POST

api/application/v2/messages

GET

api/v1/documents/{id}

pxGetDocumentDetails

GET

api/v1/documents

pxGetDocuments

GET

api/v1/messages

pxGetMessages

GET

api/application/v2/messages

GET

api/v1/spaces/{id}

pxGetSpaces

GET

api/v1/spaces/{id}/pins

GET

api/v1/pins

PUT

api/v1/spaces/{id}/join

pxUpdateSpace

PUT

api/v1/spaces/{id}/leave

POST

api/v1/applications

pxCreateApplication

PATCH

api/v1/accessgroups/{ID}

pxUpdateAccessGroup

Additional privileges

Additional privileges enable field-level security while performing specific actions. When field level security is enabled, user requests to Pega Platform™ are validated against fields added by the user to the view. If additional fields are passed in the input, a 400 Bad Request error is returned.

Use the dynamic system setting DebugPegaAPI to log the additional fields in the Pega API Rest Service Info statements. For more information about configuring dynamic system settings, see Configuring dynamic system settings.

Additional privileges are not included with the PegaRULES: PegaAPI access role. To grant users, administrators, or authors access to DX API, add the additional privileges to application access roles, such as the <application>: PegaAPI access role.

The following table describes the usage of each additional privilege.

Additional privilege

Usage

pxCreateCaseDX

Enables field level security while creating a case.

pxUpdateCaseDX

Enables field level security while updating a case.

pxPerformAssignmentDX

Enables field level security while performing assignment.

Application settings

The pyDXAPIEncodeValues application setting protects users from cross-site scripting attacks.

It is applied in the following DX API endpoints:

  • GET /casetypes/{ID}
  • GET /casetypes/{ID}/refresh
  • GET /assignments/{ID}/actions/{ID}
  • GET /assignments/{ID}/actions/{ID}/refresh
  • GET /cases/{ID}/actions/{ID}
  • GET /cases/{ID}/actions/{ID}/refresh

If the pyDXAPIEncodeValues application setting is set to true, all the special characters in the response are converted into HTML entities.
For example, 100% is converted to 100&#37;.

Suggest Edit
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.