Security Settings for DX API
Secure access to your DX API endpoints by learning about authentication settings and access role privileges.
Authentication settings for Service Package
To authenticate DX API endpoints, configure the authentication settings through the API service package.
For more information about service packages, see Service Packages.
The following types of authentication are available for a service package:
- OAuth 2.0
For more information about the types of authentication, see Defining processing and authentication for service packages.
To access endpoints more securely, use OAuth 2.0 as the authentication type. For more information about OAuth 2.0 configuration, see the following articles:
Access role privileges
Every endpoint is mapped to a privilege. You can provide users with specific privileges so that they can perform the actions associated with the corresponding endpoints.
The following table depicts the endpoints that correspond to each privilege:
Additional privileges enable field-level security while performing specific actions. When field level security is enabled, user requests to Pega Platform are validated against the fields that the user added to the view. Note that read-only fields are treated as invalid. Disabled fields are treated the same as editable fields and valid if they are defined in the UI of the posted flow action. If additional fields are passed in the input, a 400 Bad Request error is returned.
Use the dynamic system setting DebugPegaAPI to log the additional fields in the Pega API Rest Service Info statements. For more information about configuring dynamic system settings, see Configuring dynamic system settings and Debugging DX API.
- Additional privileges are not included with the PegaRULES: PegaAPI access role. To grant users, administrators, or authors access to DX API, add the additional privileges to application access roles, such as the application: PegaAPI access role.
- Additional privileges are included with the PegaRULES:PegaAPIDX access role. To access the complete suite of security privileges for v1 DX APIs, add the PegaRULES:PegaAPIDX role in addition to the PegaRULES:PegaAPI role to your users' access groups.
The following table describes the usage of each additional privilege:
|pxCreateCaseDX||Enables field-level security while creating a case.|
The pyCreatesection in this situation is purely for field security checking purposes and is never shown to the user.
|pxUpdateCaseDX||Enables field level security while updating a case.|
|pxPerformAssignmentDX||Enables field level security while performing assignment.|
|pxGetCaseDX||Restricts the content of the |
|pxGetDataDX||Provides access to only those data pages in built-in applications that are marked as API.|
|pyExcludeSummaryData||Prevents the API from sending the SummaryData metadata in the response to avoid exposing sensitive data.|
Application settingsThe pyDXAPIEncodeValues application setting protects users from cross-site scripting attacks, and applies to the following endpoints:
If the pyDXAPIEncodeValues application setting is set to true, all the special characters in the response are converted into HTML entities. For example, 100% is converted to 100%.
Previous topic Implementation of actions in DX API Next topic DX API Version 2