Security Settings for DX API
Secure access to your DX API endpoints by learning about authentication settings and access role privileges.
Authentication settings for Service Package
To authenticate DX API endpoints, configure the authentication settings through the API service package.
For more information about service packages, see Service Packages.
The following types of authentication are available for a service package:
- Basic
- OAuth 2.0
- Custom
For more information about the types of authentication, see Setting the context of a collection step.
To access endpoints more securely, use OAuth 2.0 as the authentication type. For more information about OAuth 2.0 configuration, see the following articles:
Access role privileges
Every endpoint is mapped to a privilege. You can provide users with specific privileges so that they can perform the actions associated with the corresponding endpoints.
The following table depicts the endpoints that correspond to each privilege:
HTTP method | Endpoint | Privilege |
POST | api/v1/cases | pxCreateCase |
GET | api/v1/assignments/{ID}/actions/{actionID} | pxGetAssignments |
PUT | api/v1/assignments/{ID}/actions/{actionID}/refresh | |
GET | api/v1/assignments | |
GET | api/v1/assignments/{id} | |
GET | api/v1/spaces | |
GET | api/v1/notifications | |
GET | api/v1/casetypes/{ID} | pxGetCaseTypes |
PUT | api/v1/casetypes/{ID}/refresh | |
GET | api/v1/casetypes | |
GET | api/v1/cases/{ID}/actions/{actionID} | pxGetCases |
PUT | api/v1/cases/{ID}/actions/{actionID}/refresh | |
GET | api/v1/cases | |
GET | api/v1/cases/{id} | |
GET | api/v1/cases/{ID}/pages/{pageID} | |
GET | api/v1/cases/{ID}/views/{viewID} | |
GET | api/v1/data/{id} | pxGetDataPage |
GET | api/v1/data/{id}/{metadata} | |
POST | api/v1/assignments/{id} | pxPerformAssignment |
PUT | api/v1/cases | pxUpdateCase |
PUT | api/v1/cases/{id} | |
GET | api/v1/applications | pxGetApplications |
POST | api/v1/messages | pxCreatePulse |
POST | api/application/v2/messages | |
GET | api/v1/documents/{id} | pxGetDocumentDetails |
GET | api/v1/documents | pxGetDocuments |
GET | api/v1/messages | pxGetMessages |
GET | api/application/v2/messages | |
GET | api/v1/spaces/{id} | pxGetSpaces |
GET | api/v1/spaces/{id}/pins | |
GET | api/v1/pins | |
PUT | api/v1/spaces/{id}/join | pxUpdateSpace |
PUT | api/v1/spaces/{id}/leave | |
POST | api/v1/applications | pxCreateApplication |
PATCH | api/v1/accessgroups/{ID} | pxUpdateAccessGroup |
Additional privileges
Additional privileges enable field-level security while performing specific actions. When field level security is enabled, user requests to Pega Platform are validated against the fields that the user added to the view. Note that read-only fields are treated as invalid. Disabled fields are treated the same as editable fields and valid if they are defined in the UI of the posted flow action. If additional fields are passed in the input, a 400 Bad Request error is returned.
Use the dynamic system setting DebugPegaAPI to log the additional fields in the Pega API Rest Service Info statements. For more information about configuring dynamic system settings, see Configuring dynamic system settings and Debugging DX API.
The following table describes the usage of each additional privilege:
Additional privilege | Usage |
pxCreateCaseDX | Enables field-level security while creating a case. |
pxUpdateCaseDX | Enables field level security while updating a case. |
pxPerformAssignmentDX | Enables field level security while performing assignment. |
pxGetCaseDX | Restricts the content of the GET /cases/{ID}
endpoint to the fields contained in the review harness. |
pxGetDataDX | Provides access to only those data pages in built-in applications that are marked as API. |
pyExcludeSummaryData | Prevents the API from sending the SummaryData metadata in the response to avoid exposing sensitive data. |
Application settings
The pyDXAPIEncodeValues application setting protects users from cross-site scripting attacks, and applies to the following endpoints:GET /casetypes/{ID}
GET /casetypes/{ID}/refresh
GET /assignments/{ID}/actions/{ID}
GET /assignments/{ID}/actions/{ID}/refresh
GET /cases/{ID}/actions/{ID}
GET /cases/{ID}/actions/{ID}/refresh
If the pyDXAPIEncodeValues application setting is set to true, all the special characters in the response are converted into HTML entities. For example, 100% is converted to 100%.
Previous topic Implementation of actions in DX API Next topic DX API Version 2