REST API access control

Updated: April 2025

Author: Eric Houghland

Overview:

Currently, the REST API's accessibility is binary. Either anyone can use it or no one can. Organizations desire greater control over API usage, enabling them to grant specific permissions to individual users and groups. This would allow them to tailor API access to their needs and ensure that only authorized individuals can utilize the API.

Problem:

The current REST API access model is overly restrictive, granting full access to all users or none. This binary approach hinders organizations' ability to implement granular security measures aligned with their specific operational needs. To address this limitation, a more sophisticated access control is required. By implementing this solution, organizations can assign tailored REST API permissions to individual users and groups, ensuring that only authorized personnel can access sensitive data and perform critical tasks.

Solution:

We aim to create a simple tool that lets administrators easily manage access to the REST API. This tool will have a user-friendly interface where admins can quickly add or remove access rights for individual users and groups. Changes will take effect immediately, making managing permissions easy and securing the API. The root administrator will maintain the organization’s REST API access through a simple enable/disable toggle. This centralized control guarantees comprehensive security and access management.

Configure the REST API Access Control feature.

By assigning specific permissions to individual users and groups, only authorized personnel have the necessary privileges to use the REST API.

Important considerations

• REST API Access Control is optional.
  All users have access by default once the REST API is enabled in the root admin. However, when you opt in to Access Control, you must manually add users and groups.
• Once you opt in to Access Control, you must manage access for all users and groups. To disable Access Control, select Admin > Organization > Details, then select No next to REST API Managed Access is enabled.
• Previously, new users were automatically granted access if the REST API was enabled. With Access Control, you must manually add users and groups for access. Don't opt in to this feature if you want everyone in your company to have access.

Best practices

• To simplify management, rather than granting REST API access to individual users, create a dedicated REST API user group.
• If access to the REST API stops working, organization admins can notify the system admin to see if it's disabled in the root admin. The ability to manage users and groups is still available, but the REST API can't be used until it is re-enabled.

To configure REST API Access Control:

(Recommended) Could you add a dedicated REST API user group? Important - Complete this step prior to configuration to prevent interruptions in REST API access.

1. Configure REST API Access Control:

   1. From the Jama Connect header, select Admin > Organization > REST API, then select Configure access control.

      

      The configuration wizard opens, starting the process of opting into Access Control. Until you finish the configuration wizard, all users can access REST API.

      

   2. Select Managed access, then select Next.

      

   3. (Optional) Search for or enter the name of the users or groups you want to add, then use the arrow to add them to the Selected groups/users column.

      

   4. Select I understand this change might impact integrations.

      
2. Select Save.

Manage REST API access for groups and users.

After configuring Access Control, you can add and remove groups and users to manage access to the REST API.

To create a new user and a new group.

Important considerations

• To access this feature, admins must complete the Access Control configuration wizard. 

• When an organization admin changes a user's permissions from Organization > Users > Add user instead of modifying their existing permissions, all previously granted permissions are reset. As a result, you will need to reassign REST API access to the user.

• To remove a user, remove them from all groups with REST API access where they are members. Otherwise, they still have access to REST API.

• All searches are exact, meaning a search doesn't return a match for users who are only in a group. For example, if you search for “Jeff” and they are only in a group, they don't appear in the search results. This is another reason to manage users within groups rather than individually.

If REST API access is disabled, you see the message “REST API access is disabled in root administration. Until it’s re-enabled, groups/users won’t be able to utilize it.” You can still manage access, but you can't access REST API until it’s re-enabled.

 

Best practices

Rather than granting REST API access to individual users, create a dedicated REST API user group to simplify management.

To add REST API Access for groups and users:

1. From the Jama Connect header, select Admin > Organization > REST API.

2. Select Add access.

   

3. From the Groups/users column, select or search for the groups or users you want to give access to, then use the arrow to add them to the Selected groups/users column.

   

4. Select Add access.

   

A message appears, confirming that REST API access was added for the selected users or groups.

To remove REST API Access for users and groups:

1. From the Jama Connect header, select Admin > Organization > REST API.

2. Select the group or user you want to remove, then select Remove access.

   

   A confirmation message appears.

3. To confirm the access change, select Remove access.

A message confirms that the REST API access was removed from the selected user or group.