After you've granted Modify permissions to web server files in IIS, you continue with configuring access claims.
If you are using Smart API Manager as your API manager, see Configure access claims using Smart API Manager instead.
Add Supported Claim Types to the Smart API
-
Add the appropriate claim type for the web API you're configuring if one does not exist.
-
For Smart 3D - add the Access claim type.
-
For Smart 3D Admin - add the SiteCreatorAccess, SiteReadAccess, and SiteWriteAccess claim types.
-
-
Set the values for each claim type.
ValueClaim Type for the Smart 3D Web API
Claim Types for the
Smart 3D Admin Web APIName
Access
SiteCreatorAccess
SiteReadAccess
SiteWriteAccess
User Name
Plant Access
Site creator access
Read access to site
Write access to site
Type
String
Enum
String
String
Values
--
Grant
--
--
Required
Checked
Unique
Checked
Checked
Note that UI options for API Managers are different based on providers.
Authorize the groups
-
Add the claim to the group:
-
For the Smart 3D Web API, add a Plant Access claim for each plant in the Smart 3D site to which the group will have at least read access.
You need to type the names of the plants so have a list available.
Prefix the site name to the plant name using the syntax SiteName:PlantName. Use the “*” character as a wildcard to give access to multiple plants. For example, access to all plants can be given by giving a plant name of *.
Repeat this for each existing Group that accesses one or more plants in the Smart 3D Site.
-
For the Smart 3D Admin Web API, add the claims as follows:
-
SiteCreatorAccess - Add this claim if the user is intended to do the actions “CreateSite”, “RestoreSite”, or “EnableSite”.
-
SiteReadAccess - Add this claim for each sitealias on which the user will have read access on the site. The user will have read access on all entities and can perform a GET operation.
-
SiteWriteAcess - Add this claim for each sitealias on which the user will have write access on the site. The user can perform PATCH, PUT, POST, and DELETE operations. Also, this user is allowed to perform all actions except for those actions that only the SiteCreatorAccess claim allows users to do.
For both the SiteReadAccess and SiteWriteAccess claims, use the “*” character as a wildcard to give access to multiple sites. For example, to give access to all sites, give a site alias name of *.
-
-
-
Add a scope with the API Service ID that is used while creating the website. Include this scope in your access tokens.
Because the scope value is a GUID, make sure you capitalize any letters it contains, for example: 94A3D2D5-91B2-4B67-BDEB-E66CE8534FA5.
-
Include email scope for all your access tokens as the API relies on email scope for processing requests.
-
For all users logged in with windows active directory credentials, configure your Sub claim to include user information in format (AD Domain)\\(AD UserName) as Smart 3D validates windows active directory users for permissions on the plant.
-
For the Smart 3D Web API, add the Audience attribute to the web.config file. This attribute should match the audience field in API Manager settings. For example:
<service prefix="s3d/v1" id="1591be37-f39f-4117-bd22-e65216d3e7c5" audience="1591be37-f39f-4117-bd22-e65216d3e7c5" secret="******************" instance="" />
-
For the Smart 3D Admin Web API, add the ServiceAudience attribute to the appsettings.json file. This attribute should match the audience field in API Manager settings. For example:
"Hexagon.SmartApi": {
"BaseUri": "https://Server.com/adminwebapi",
"Services": [
{
"UriPrefix": "s3dadmin/v1",
"ServiceId": "6fb71ce4-650e-4ab2-ba01-18f1f65b42ab",
"ServiceAudience": "6fb71ce4-650e-4ab2-ba01-18f1f65b42ab",
"ServiceSecret": "***",
"ServiceSecretHash": "*****",
"InstanceName": ""
}
],
You're done with configuring access claims! Now, move on to configuring app settings.