Configure Admin API access claims in a third-party authorization provider - Intergraph Smart 3D Web API - Update 2 - Installation & Upgrade - Hexagon

To configure access claims for the Admin API in a third-party authorization provider, you must add claim types and authorize groups.

This quick guide gives you the information you need for configuring access claims, but it cannot give you step-by-step instructions for third-party applications. For more help with your third-party application, see its documentation.

Add supported claim types

1. Add the SiteCreatorAccess claim type, and set the values as follows:

   Value	Setting
   Name	SiteCreatorAccess
   User Name	Site creator access
   Type	Enum
   Values	Grant
   Required	No
   Unique	Yes

2. Add the SiteReadAccess claim type, and set the values as follows:

   Value	Setting
   Name	SiteReadAccess
   User Name	Read access to site
   Type	String
   Values	leave blank
   Required	No
   Unique	No

3. Add the SiteWriteAccess claim type, and set the values as follows:

   Value	Setting
   Name	SiteWriteAccess
   User Name	Writer access to site
   Type	String
   Values	leave blank
   Required	No
   Unique	No

Authorize groups

1. Add the necessary claims for each plain in the Smart 3D site:

   Claim	Required For
   SiteCreatorAccess	Configurations where the user is intended to do the actions CreateSite, RestoreSite, or EnableSite.
   SiteReadAccess	Each SiteAlias on the site that the user will have read access to. The user has read access on all entities and can perform a GET operation.
   SiteWriteAccess	Each SiteAlias on the site that the user will have write access to. The user can perform PATCH, PUT, POST, and DELETE operations, and all actions except those that only the SiteCreatorAccess claim allows users to do.

   Make sure to:

   • Prefix the site name to the plant name using the syntax SiteName:PlantName.

     To give access to multiple plants, use an asterisk ( * ) as a wildcard. For example, to give access to all plants give a plant name of *.

   • Repeat these steps for any existing groups that access one or more plants in the Smart 3D Site.

2. Add a scope with the API Service ID that is used while creating the website. Include this scope in your access tokens.

   Because the scope value is a GUID, make sure you capitalize any letters it contains, for example: 94A3D2D5-91B2-4B67-BDEB-E66CE8534FA5.

3. Include email scope for all your access tokens. This is necessary because the API relies on email scope for processing requests.

4. For all users who log in with Windows Active Directory credentials, configure your Sub claim to include user information in format (AD Domain)\\(AD UserName). This is necessary because the application validates Windows Active Directory users for permissions on the plant.

5. By default, the scope is used as the service audience. If you want to specify a different service audience, you must add the ServiceAudience attribute to the Admin API configuration file:

   [Installation Path]Smart3D\WebApi\AdminWebServer\appsettings.json

   This attribute value must match the audience value in the API Manager. For example:

   "Hexagon.SmartApi": {

   "BaseUri": "https://Server.com/adminwebapi",

   "Services": [

   {

   "UriPrefix": "s3dadmin/v1",

   "ServiceId": "6fb71ce4-650e-4ab2-ba01-18f1f65b42ab",

   "ServiceAudience": "6fb71ce4-650e-4ab2-ba01-18f1f65b42ab",

   "ServiceSecret": "***",

   "ServiceSecretHash": "*****",

   "InstanceName": ""

   }

   ],

   For more information about app settings in the API configuration file, see API application settings file.

What's next?

You're done with your API Manager, and ready to move on to enabling HSTS.