Access Request Workflow Requirements
Background & Business Value
We need a workflow to allow developers on campus to request access for APIs that require approval before usage. This is a common use case.
Goals
- Store information about user applications - contact information and other general information. Have a record of the approval to use APIs for a specific application.
Assumptions
- The approval of APIs will be done by business users in most cases, such as the Registrar office.
- Other approvals might be done by technical managers at ETS, ARIT, etc.
- API and API product are used interchangeably in this document. Developers can request access only to API products.
- Roles:
- API Admin - a user role in the portal that gives elevated access to manage the API and Application contents.
- Business Approver - a user role in the portal that allows users to approve publishing and application access requests.
- Developer - a use role in the portal assigned to every person creating an application and requesting access to API products.
- Gateway Admin - a person that has admin rights in the Apigee gateway.
- All gateway admins are also API admins in the developer portal.
- Developer portal: developer.ucsb.edu
Out of Scope
Requirements
Ticket(s) | Title | User Story | Priority | Notes |
---|---|---|---|---|
Requests API access. | As a Developer, I need a way to request access to APIs for my Apps. | MUST HAVE |
| |
Notify developers on API approval | As a developer I would like to receive notification on API approval for automatic and for manual approvals. | MUST HAVE |
| |
Notify developer on the process to get access | The system should notify the developer in an email of the process to follow after they submit a request to use APis that require access. | MUST HAVE |
| |
System display a link to documentation on how to submit access request form | The system should display a link to documentation on how to submit an access request form. | NICE TO HAVE |
| |
Submit access approval documentation | As a developer I need to submit required documentation to have my API access approved. | MUST HAVE |
| |
Business approver to approve or deny API access | As a business owner of the data and an API approver I want to be notified of a pending approval. I want to review the information submitted, contact the developer if I have questions, request changes, and record my API approval or denial. | MUST HAVE |
| |
Admins to receive notification of a new API request form submission | Once a developer submits the form request, an email will be sent to support@developer.ucsb.edu. One of the API administrators will fill in the gateway administrator and a business approver in the form. | MUST HAVE |
| |
Gateway admin to approve or deny API access | After the business approver approves the API product access, the gateway admin is notified to review the request and approve the API product request. | MUST HAVE |
| |
Provide easy access to application contact info and other information | As a developer, business approver and API admin and gateway admin I would like to see a list of applications and get contact information and other. | MUST HAVE |
| |
Allow for access request to APis approved by different departments. | As a developer I want to make one request for all APIs needed, regardless of who the approving department is. As an API approver I would like to have a way to approve API requests even if there are multiple approvers involved. | MUST HAVE |
|
User Interaction, Design & Architecture
- The workflow we want
- Developer (End User)
- Create an Account on https://developer.ucsb.edu
- Create an App on https://developer.ucsb.edu
- When creating an app, click on the APIs I would like to use
- TODO: We should update the API Request Page (My Apps) in Drupal to include text (between the App Name/CallBack Url and the API Product list) with text that states for any API that has "Access Approval Required" next to it will need to have an API Access Request Workflow filled out. There should be a link to the documentation on how to fill the workflow out.
- Make a Jira ticket out of this
- Gateway Admin
- 3. The monitoring service sends an email that an application has requested access to an API (that isn't auto-approved)
- The monitoring service should also send an email to the requesting developer to inform them that they will need to fill out the API Access Request Workflow with a link to the documentation on how to fill the workflow out.
- 3. The monitoring service sends an email that an application has requested access to an API (that isn't auto-approved)
- Developer (End User)
- 4. Fills out the API Access Request Workflow Form on https://developer.ucsb.edu and submits it
- Submission should email support@sa.ucsb.edu that a new API Access Request Workflow was filled out
- 4. Fills out the API Access Request Workflow Form on https://developer.ucsb.edu and submits it
- Gateway Admin
- 5.
- Developer (End User)
Examples and References
- Current Workflow (as of )
- Developer (End User)
- Create an Account on https://developer.ucsb.edu
- Create an App on https://developer.ucsb.edu
- When creating an app, click on the APIs I would like to use
- Gateway Admin
- 3. The monitoring service send an email that an application has requested access to an API (that isn't auto-approved)
- 4. The Gateway Admin then emails the Developer with an Access Request Form and explain what information they need to have. Documentation on the document and what we need from the developer should be implemented with APIGEE-120.
- The Gateway Admin includes who (the business approvers) should be emailed by the Developer; which a note to CC the Gateway Admins for awareness.
- Developer (End User)
- 5. Works with their department staff to fill in the form and get signatures required.
- 6. Send the Request Form and any additional information to the Business Approvers (with Gateway Admins CC'ed) through email
- The Gateway Admin will save the initial request document in the box storage area.
- Business Approvers
- 5. Receives the Request Form, do their internal review, and complete a feedback loop with the Developer (End Users).
- 6. Upon Approval or Denial, they send and email to the Developers (End Users) and the Gateway Admins.
- Gateway Admin
- 7. Upon Approval
- The Gateway Admin then Grants access to the App for the API
- The Gateway Admin will save the finalized document in the box storage area with "- APPROVED" appended to the filename.
- 7a. Upon Denial
- The Gateway Admin then Denies access to the App for the API
- The Gateway Admin will save the finalized document in the box storage area with "- DENIED" appended to the filename.
- 7. Upon Approval
- Developer (End User)
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|