Hi Community,
Is it possible to create a user in DHIS2 with access restricted to only GET or POST requests on specific API endpoints?
Thanks,
R
1 Like
Hi @zubair
Yes, ‘personal access tokens’ can be generated by the user and whatever authorities the user has will be inherited by the token. When generating the token, you can select GET and POST only as well as an expiration date.
The following screenshot shows the authorities that the token has because the user is the admin user has in the play instance and I only selected the GET request:
This is explained step by step in this video by @austin: https://www.youtube.com/watch?v=Jb6XWIspGto
Does this answer your question @zubair?
Thanks!
1 Like
Thanks @Gassim for the response.
I’m aware of that, but we can’t restrict access to certain endpoints directly. We could implement a workaround using Nginx, but that introduces other issues.
Thanks
Zubair
1 Like
Great, thanks! I hope it’ll be helpful for everyone.
Yes, you are right that there’s no option to restrict the token to specific endpoints, and I’m guessing that restricting the user’s authorities which the token inherits doesn’t restrict it enough.
I am triaging this to team-extensibility for their input and if it can be considered a feature request.
Update
--
Hi again @zubair,
I got some input from @dhis2-security team. It would greatly help them if you would please share more details on the use-case.
As @netroms mentioned, " authorities goes 1-1 with endpoints" and it’s not currently possible to restrict the PAT to specific endpoints but he mentioned a number of things that would need to be taken into consideration even with such restriction, so I believe the use-case would be important to know.
Thanks!