AdvAPI REST Services

Advantage offers REST based API services. These API services provide a mechanism through which certain business operations can be performed programmatically via the external interfaces. The API service framework provides common functions for performing actions on the reference tables and transaction type resources. The following are the typical operations supported by AdvAPI:

Currently, these are internal services and does not expose the request and response formats. Typically, Advantage Connect uses these APIs to interface with the external applications. The following topics provide details about configuration that sites can use to perform some administrative tasks.

Excluding data from getting exported using API_Excludes.txt

While doing the export, sites may wish to restrict exporting some of the sensitive columns (for example, columns that contain Personally Identifiable Information (PII)). This file can be used to add columns that should be excluded from the export for specific tables or from all the tables. All encrypted columns are by default excluded from the export, although if the site wishes to bypass that exclusion, then that table’s column can be configured in the bypass list. This file is placed in the bin directory, which is the same directory where ADV30Params.ini is placed.

Allow API to perform actions on specified resources using API_WhitelistConfig.txt

While doing any operation on reference tables or transactions, sites may wish to restrict all operations on all resources and allow only specified resources to be available to be operated via AdvAPI. For example, allow export on the procurement tables for interfacing the Procurement subsystem with a third party system. In this case, sites can turn on Whitelisting and configure the list of actions on each specific resource the sites want to enable operation via AdvAPI. This file is placed in the bin directory, which is the same directory where ADV30Params.ini is placed.

Restricting online access to users specifically created for invoking AdvAPI services

Sites may wish to restrict online application access to users who have authorization for invoking the AdvAPI services only. This can be done by setting an attribute for the user from the backend SQL. The record needs to be inserted to the R_SC_USER_ATTR table. The following SQL can be used to mark a user to be able to invoke AdvAPI only.

A sample SQL, replace <USER_ID_USED_FOR_ADVAPI> with the actual User ID of the AdvAPI user.

INSERT INTO R_SC_USER_ATTR( REC_ID, SEQ, USER_ID, ATTR_NM, ATTR_VAL ) VALUES

((SELECT MAX( REC_ID ) + 1 FROM R_SC_USER_ATTR), 0, '<USER_ID_USED_FOR_ADVAPI>', 'SERVICE_AUTHORIZATION', 'true' )

Restricting AdvAPI to use a schema user which has got limited access

AdvAPI uses the typical Advantage security subsystem. Authorization typically happens through Access Control. However, when Advantage is interfacing with external systems via Advantage Connect, sites may wish to allow Connect to have access to only some specific database tables. This is an additional layer of security that sites can configure.

Requests coming from the online application uses the typical schema user that has access to all tables with access to the Create, Read, Update, and Delete (CRUD) operations.

Requests coming from the API services uses a schema user that has restricted access. In this scenario Connect typically invokes these services and tries to keep some tables in sync between Advantage and external systems (for interfacing with external system).

In the above example:

xxx_owner has full access to all tables and all operations.
xxx_restricted has full access to only those tables that need to be synched between Advantage and external systems.

To enable this feature, set the UseSeparateApiServiceConnection parameter in the ADV30Params.ini file to true. Secondly, set the restricted schema user and password in the VLS Admin Console for the data server named ADVServiceAPIConnection. This routes all the queries originating from AdvAPI through the restricted schema user.