Configure Plant API access claims in a third-party authorization provider - Intergraph Smart 3D Web API - Update 2 - Installation & Upgrade

Configure Plant API access claims in a third-party authorization provider - Intergraph Smart 3D Web API - Update 2 - Installation & Upgrade - Hexagon

Intergraph Smart 3D Web APIs Installation and Configuration

ft:locale

en-US

Product

Intergraph Smart 3D Web API

Subproduct

Smart 3D Web APIs

Search by Category

Installation & Upgrade

Smart 3D Version

To configure access claims for the Plant API in a third-party authorization provider, you must add claim types and authorize groups.

SHARED Tip This quick guide gives you the information you need for configuring access claims, but it cannot give you step-by-step instructions for third-party applications. For more help with your third-party application, see its documentation.

Add supported claim types

Add the Access claim type for the web API if it does not already exist for the Plant API.
Set the values for the Access claim type as follows:

Value

Setting

Name

Access

User Name

Plant Access

Type

String

Values

leave blank

Required

No

Unique

No

Value	Setting
Name	Access
User Name	Plant Access
Type	String
Values	leave blank
Required	No
Unique	No

Authorize groups

Add a Plant Access claim for each plant in the Smart 3D site to which the group needs at least READ access.

To give access to multiple plants, use an asterisk ( * ) as a wildcard. For example, to give access to all plants give a plant name of *.

Make sure to:
- Prefix the site name to the plant name using the syntax SiteName:PlantName.
- Repeat these steps for any existing groups that access one or more plants in the Smart 3D Site.
Add a scope with the API Service ID that is used while creating the website. Include this scope in your access tokens.

Because the scope value is a GUID, make sure you capitalize any letters it contains, for example: 94A3D2D5-91B2-4B67-BDEB-E66CE8534FA5.
Include email scope for all your access tokens. This is necessary because the API relies on email scope for processing requests.
For all users who log in with Windows Active Directory credentials, configure your Sub claim to include user information in format (AD Domain)\\(AD UserName). This is necessary because the application validates Windows Active Directory users for permissions on the plant.
By default, the scope is used as the service audience. If you want to specify a different service audience, you must add the audience attribute to the Plant API configuration file:

[Installation Path]\Smart3D\WebApi\WebServer\appsettings.json

This attribute should match the audience field in API Manager settings. For example:

<service prefix="s3d/v1"

id="1591be37-f39f-4117-bd22-e65216d3e7c5"

audience="1591be37-f39f-4117-bd22-e65216d3e7c5"

secret="******************" instance="" />

For more information about app settings in the API configuration file, see API application settings file.

What's next?

Pick your path:

If you are using this or another third-party authorization provider for the Admin API - Use that authorization provider to configure the access claims for the Admin API.
If you are using Smart API Manager as the authorization provider for the Admin API - Use Smart API Manager to configure the access claims for the Admin API.