Time Item Who Notes Welcome Greetings and salutations General Info Yuan Yao request for APIs for https://gogaucho.app/ Registrar/SIST checking with Jennifer Lofthus (ucsb policy coordinator) about using student ucsbnetids to access their schedule from GOLD in this app. Axiomatics Data Redaction IAM Axiomatics Data Redaction IAM Email Groups Steven Maglio Should we add an email group for Business Approvers (that way they won't get hit by emails for api-consumers@developer.ucsb.edu) Is there a programmatic way to distinguish between the two? (An attribute 'role': 'business-approver') GoGaucho Potential Plan Seth Northrop will reach out to Jennifer Lofthus For the Campus Web API Group We will need to do a code review of the application We will need to come up with language that says you will use the student credentials securely that they will need to sign The language will also need to state terms of notifications for potential problems (will this make it an official endorsement which will then create legal liabilities ) Most likely we should use the Standard DS (Data Security) agreement We will need to do periodic reviews of the application to ensure the application keeps the security standards in place Our View Point on this Scenario Student developed apps should be given just as much opportunity as staff developed apps Their needs to be a security review of any app that is using an API which requires approval before it's approved through the Campus Web API Gateway Reviews of the application will be with team that developed the application and the API Gateway Team A previous review with a development team can be used to approved any future applications that they create Student developed apps will need to sign extra agreements (like Security DS) Staff developed apps will not need this because the agreement is already part of working on the campus API Call Quota Level Steven Maglio Farah found that the 100 requests per minute (default quota level) to be too limiting. She also found that the way the quota level is implemented, the system will literally have to wait for the full minute to expire before allowing requests to flow again. The smallest increment of time we can do in the UI is per minute . The REST API has the same limitation. What would we think about ... 1000 per minute (60 ms per request) 10000 per minute (6 ms per request)20000 per minute (3 ms per request) I made some calls with the tracing tool turned on just to see how long a "simple call" takes to return. Workflow - Access Request Diana Antova Diana Antova - Develop Access Request Workflow Requirements (https://help.library.ucsb.edu/browse/ APIGEE-146 ) Use Scheduled Task to send Email asking for more information on new Access Requests Need to include asking for Form to be filled out Need to include list of API Products being asked for Should include a line asking if a face to face meeting would be better Vince Nievares - Document User Access Request Workflow for End Users (APIGEE-120 )Diana Antova - Create Access Request Workflow for End Users (APIGEE-87 )Review API publishing and access request approval process with Registrar - Diana Antova Meeting scheduled for Oct 5 (today) How do we allow logged in users to access the form? Workflow - Publish a New API Diana Antova Dev Portal Documentation - How To Use the Publishing Workflow (APIGEE-119 ) - Ian Lessing (Unlicensed) Steven Maglio Test the workflow with the Registrar office (Apigee APIGEE -161 API publishers - fill in the form for each API, and have them approved by the business owners. How do we allow logged in users to access the form?
Update: Text of Business Functional Email Original: Departmental email that can be included in the communication with the business user. Updated: In case we get ... Diana Antova will figure it out Add example in description for Security Information Move Protection Level above Security Information Split Security Implementation API Provider Security Implementation Add Firewall/IP Restriction Options: API Gateway Security Implementation Availability Level description may need to word smithing @apibot - Powershell Conversion & Hosting Kevin Wu Working on Kevin's Computer (node 8.9.X) (APIGEE-105 & APIGEE-101 ) Apigee Authorization Module (AuthApigee) Replacement Functionality Progress Updateapps apps (no|approved|revoked|pending|all) apps (approve|revoke) email developerApp apps (approve|revoke) email developerApp apiProduct apps search apps users? devs targetservertargetserver list <env> targetserver (add|update) <env> <name> <hostname> targetserver delete <env> <name> companies Kevin Wu will implement? Get operational on GCPKevin Wu has determined that GCP is not the right platform for the bot because of the difficulty in setting it up.Kevin Wu tried out Heroku and found it really easy to work with. He wants to know if we can use this? Kevin Wu will write-up a request form and submit it to Matt Hall/Elise Meyer. Heroku for deployment Google Analytics Christian Montecino Talk about the full details of what we want to have google analytics trackInitial list URL Method (GET, POST, etc) Category (Students, Academic, Dining, etc) Response Time HTTP Status Code (200, 401, etc) Research
Action Items From Previous Meeting Service Account Steven Maglio Attributes we want on itucsbCampusId Department Contact Name (probably primary person responsible) Contact Email (probably a shared email address) Callback App Url (for use with SSO) ApigeeClientId (UID from Apigee)
API Access Expected Usage Steven Maglio Expected Usage Text and Legal-ize (Terms of Service) - page on App create send the legal text to the developer on API access request - email on auto-approve for API expected usage, send them the form to fill with a check-box to agree on API usage terms email on requesting that they fill out the form for any non-auto approval- add same check-box Do we have this documented? Has this been turned into an Apigee Ticket? API Proxy Standards Steven Maglio
Drop Minor Versions as a requirement Write standard approach for departments that want to use Minor versions; using the approach is also optional.
Do we have this documented? Has this been turned into an Apigee Ticket? Developer Portal Front Page Updates In About Section Diana Antova - Add page about winning the Sautter Award Diana Antova - If Diana thinks its a good idea to add it to the main page, then she will work with Denise to do so API Versioning Steven Maglio Do we have this documented? Has this been turned into an Apigee Ticket? CSF notification Diana Antova Email csf to notify developers of existing APIs and the roadmap APIGEE-155 API Health check Diana Antova Steven Maglio will compare Pingdom and Uptime Robot API Dictionary Diana Antova API dictionary and data governance - define field meaning, naming conventions (Bruce Miller) Improved Documentation Diana Antova More documentation, need testers that will help us define the optimal set. Can we have a link to a documentation page?dedicate a meeting to documentation once a month, try it on 12 Oct 2018 API Selection page Ian Lessing (Unlicensed) API select page - fix layout (denise) Accounts for separated employees/student Steven Maglio
What do we do with separated employees periodic verification (quarterly, yearly) 
