Home
Product documentation
Support homeSupport requestsSystem statusTrust centerTry for free

API security policy assignments

Suggest Edits

API security policy assignments let you control which scopes are granted to which customers by mapping Strivacity groups to scopes defined in API security policies. The assigned scopes can then be evaluated at runtime by the Strivacity Login Gateway.

An API security policy assignment defines:

  • Which API security policy should be applied to the group.
  • Which scopes from that policy should be granted to group members.

These scopes are evaluated by the Login Gateway to determine access to protected paths.

Capabilities

  • Supports assigning one or more API security policies to a group.
  • Each group can have a different set of scopes for the same policy.
  • Login Gateway enforces scopes using policy-based path restrictions.

Example use cases

  • A group of support users is granted only the support scope for a specific API.
  • A group of admin users is granted both support and admin scopes for the same API.
  • A partner organization is granted restricted scopes on one audience but not another.

Configuration

Create an API security policy (if not already created)

  1. Go to PoliciesAPI security.
  2. Select Create.
  3. Fill in:
    1. Name
    2. Audience: The base URL of the protected API (for example, shop.saasi.io).
    3. Add one or more scopes (for example, support, admin).
  4. Select Save.

📘

For more details, see Create API security policies.

Assign the policy to a group

  1. Go to Groups and select an existing group from the list or create a new one.
  2. Open the API security policy assignments tab.
  3. Select Assign API security policy.
  4. Choose a policy and select which scopes to assign.
  5. Select Save.

Configure Login Gateway

In Login Gateway clients:

  • Choose which API security policy to evaluate.
  • Restrict access to specific paths by required scopes.

The Login Gateway enforces access by verifying that the incoming token includes the required scopes, based on the customer’s group membership.

Example

  • The SaaSii shop API security policy defines two scopes: support and admin.
  • The Support team group is assigned the policy with only the support scope.
  • A Login Gateway client protects GET /orders with the support scope and DELETE /orders with the admin scope.

If a Support team member logs in:

  • Their access token includes only the support scope.
  • Login Gateway allows read access but blocks deletion.

If an Admin team member logs in:

  • Their access token includes both support and admin scopes (if assigned).
  • Login Gateway allows both read and delete operations.

Updated 1 day ago