User roles for REST API access

Set up role-based access control for the REST API.

The following table describes the user roles and the access that each role has to the REST API.
Table 1. User roles for access to the REST API
User role Level of access
iaRESTReader Read only
iaRESTWriter Read, create, update, and delete

If you have read-only iaRESTReader access, the actions that you can take by using the REST API are limited. For example, you can send a GET request but not a PUT request.

If you have iaRESTWriter access, you can create and manage entities by using the GET, POST, PUT, and DELETE methods. The following table lists the requests that are accessible for each user role.
Table 2. REST API request types
REST request Purpose User role
GET (single entity) Retrieving entities iaRESTReader and iaRESTWriter
GET Retrieving entities and aggregates iaRESTReader and iaRESTWriter
POST Creating entities iaRESTWriter
PUT Updating entity data
DELETE Deleting entities
To set up the access control, modify the server.xml configuration file and add a <security-role> element for each user role.
<authorization-roles id="iaAuthorization">
   <security-role name="iaRESTWriter">
       <user name="admin"/>
   </security-role>
   <security-role name="iaRESTReader">
       <user name="tester"/>
   </security-role>
 </authorization-roles>
Important: The id="iaAuthorization" attribute is required in the <authorization-roles> element to associate the user roles with access to the REST API.
The WebSphere® Application Server documentation provides examples to help you map additional users and groups in the OSGi bundle manifest file. See Securing an application endpoint.
Parent topic: REST API
Related tasks:
Retrieving entities
Creating entities
Updating entity data
Deleting entities