You can use either a third-party authorization provider (recommended) or Smart API Manager.
It is possible, but not recommended, to use different authorization servers for each API.
Required tasks
As part of the installation and configuration process defined in this guide, you will complete two tasks in the authorization application. The order of these tasks is important:
-
Register the API - After installation but before configuration, you must register the APIs in the authorization provider then configure them with the configuration utility.
-
Configure client access claims - After configuration, you must configure the access claims for each client that accesses each API.
Your authorization provider may require you to complete additional tasks before the
APIs can be used. Refer to the documentation for your authorization provider for help.
Hardware and software
Please see the hardware and software recommendations for the authorization server.
Security recommendations
-
Do not grant write access to Smart 3D permission groups that grant access to Everyone. Instead, add one or more groups as needed, depending upon the number of users, number of plants, and how finely access is controlled.
Granting write access to Smart 3D permission groups that grant access to Everyone will grant write access to non-Windows Active Directory users.
-
Avoid configuring long token expiration times in the authorization server.
How Smart API Manager controls access
Read access is granted using groups. A group can include both:
-
External identities - Users defined in Windows Active directory or a similar repository.
-
Internal identities - Users defined within Smart API Manager itself. (For example, for testing environments.)
However, read access is only granted to group members who are also members of the plant that the request is for.
Write access is controlled by the standard Smart 3D access control functionality, which relies on Windows Active Directory users and groups.