2018-10-19 Meeting Notes

Date

19 Oct 2018

Attendees

Steven Maglio
Ian Lessing (Unlicensed)
Vince Nievares		(Sick)
Kevin Wu
Diana Antova
Reinard Dolleschel		(Sick)
christian.montecino (Unlicensed)

Goals

Updates on continuing development
Review, organize and add to work items

Discussion items

Item	Who	Notes
Welcome		Greetings and salutations
General Info		Axiomatics Data Redaction IAM
Email Groups	Steven Maglio	Should we add an email group for Business Approvers (that way they won't get hit by emails for api-consumers@developer.ucsb.edu) Is there a programmatic way to distinguish between the two? (An attribute 'role': 'business-approver')
GoGaucho		Potential Plan Seth Northrop will reach out to Jennifer Lofthus For the Campus Web API Group We will need to do a code review of the application We will need to come up with language that says you will use the student credentials securely that they will need to sign The language will also need to state terms of notifications for potential problems (will this make it an official endorsement which will then create legal liabilities ) Most likely we should use the Standard DS (Data Security) agreement We will need to do periodic reviews of the application to ensure the application keeps the security standards in place Our View Point on this Scenario Student developed apps should be given just as much opportunity as staff developed apps Their needs to be a security review of any app that is using an API which requires approval before it's approved through the Campus Web API Gateway Reviews of the application will be with team that developed the application and the API Gateway Team A previous review with a development team can be used to approved any future applications that they create Student developed apps will need to sign extra agreements (like Security DS) Staff developed apps will not need this because the agreement is already part of working on the campus
API Call Quota Level	Steven Maglio	Farah found that the 100 requests per minute (default quota level) to be too limiting. She also found that the way the quota level is implemented, the system will literally have to wait for the full minute to expire before allowing requests to flow again. The smallest increment of time we can do in the UI is per minute. The REST API has the same limitation. What would we think about ... 1000 per minute (60 ms per request) 10000 per minute (6 ms per request) 20000 per minute (3 ms per request) I made some calls with the tracing tool turned on just to see how long a "simple call" takes to return.
Workflow - Access Request	Diana Antova	Diana Antova - Develop Access Request Workflow Requirements (APIGEE-146) Use Scheduled Task to send Email asking for more information on new Access Requests Need to include asking for Form to be filled out Need to include list of API Products being asked for Should include a line asking if a face to face meeting would be better Vince Nievares - Document User Access Request Workflow for End Users (APIGEE-120) Vince added text to the Using Your First API Pages. He will create a full page for the whole process and link to the Access Request Form Document and how to use it. Diana Antova - Create Access Request Workflow for End Users (APIGEE-87) Requirements: Access Request Workflow Requirements Review API publishing and access request approval process with Registrar - Diana Antova Meeting scheduled for Oct 5 (today) How do we allow logged in users to access the form?
Workflow - Publish a New API	Diana Antova	Dev Portal Documentation - How To Use the Publishing Workflow (APIGEE-119) - Ian Lessing (Unlicensed) Steven Maglio Test the workflow with the Registrar office (APIGEE-161) API publishers - fill in the form for each API, and have them approved by the business owners. How do we allow logged in users to access the form? Update: Text of Business Functional Email Original: Departmental email that can be included in the communication with the business user. Updated: In case we get ... Diana Antova will figure it out Add example in description for Security Information Move Protection Level above Security Information Split Security Implementation API Provider Security Implementation Add Firewall/IP Restriction Options: Remove OpenID API Gateway Security Implementation Options: API Key OAuth Availability Level description may need to word smithing
@apibot - Powershell Conversion & Hosting	Kevin Wu	Working on Kevin's Computer (node 8.9.X) (APIGEE-105 & APIGEE-101) Apigee Authorization Module (AuthApigee) Replacement Functionality Progress Update apps apps (no\|approved\|revoked\|pending\|all) apps (approve\|revoke) email developerApp apps (approve\|revoke) email developerApp apiProduct apps search apps users? Kevin Wu will implement? devs devs created <days=1> targetserver targetserver list <env> targetserver (add\|update) <env> <name> <hostname> targetserver delete <env> <name> companies Kevin Wu will implement? Need to build requirements Need to build use cases Need reporting that will display in developer.ucsb.edu Need annual clean up times Get operational on GCP Kevin Wu has determined that GCP is not the right platform for the bot because of the difficulty in setting it up. Kevin Wu tried out Heroku and found it really easy to work with. He wants to know if we can use this? Kevin Wu will write-up a request form and submit it to Matt Hall/Elise Meyer. Heroku for deployment
Google Analytics	Christian Montecino	Talk about the full details of what we want to have google analytics track Initial list URL Method (GET, POST, etc) Category (Students, Academic, Dining, etc) Response Time HTTP Status Code (200, 401, etc) Research https://trevorfox.com/2015/06/ga-measurement-protocol-track-service/
Action Items From Previous Meeting
Service Account	Steven Maglio	Attributes we want on it ucsbCampusId Department Contact Name (probably primary person responsible) Contact Email (probably a shared email address) Callback App Url (for use with SSO) ApigeeClientId (UID from Apigee) Steven Maglio - Send to Campus IdM Team
API Access Expected Usage	Steven Maglio	Expected Usage Text and Legal-ize (Terms of Service) - page on App create send the legal text to the developer on API access request - email on auto-approve for API expected usage, send them the form to fill with a check-box to agree on API usage terms email on requesting that they fill out the form for any non-auto approval- add same check-box Do we have this documented? Has this been turned into an Apigee Ticket?
API Proxy Standards	Steven Maglio	Drop Minor Versions as a requirement Write standard approach for departments that want to use Minor versions; using the approach is also optional. Do we have this documented? Has this been turned into an Apigee Ticket?
Developer Portal Front Page Updates		In About Section Diana Antova - Add page about winning the Sautter Award Diana Antova - If Diana thinks its a good idea to add it to the main page, then she will work with Denise to do so
API Versioning	Steven Maglio	Define Requirements: API Versioning Requirements How to set them up in Apigee and Portal (Gary Scott) Do we have this documented? Has this been turned into an Apigee Ticket?
CSF notification	Diana Antova	Email csf to notify developers of existing APIs and the roadmap APIGEE-155
API Health check	Diana Antova	Steven Maglio will compare Pingdom and Uptime Robot Reinard will check out Zabbix
API Dictionary	Diana Antova	API dictionary and data governance - define field meaning, naming conventions (Bruce Miller) Diana Antova work with DS team to create a dictionary
Improved Documentation	Diana Antova	More documentation, need testers that will help us define the optimal set. Can we have a link to a documentation page? dedicate a meeting to documentation once a month, try it on 12 Oct 2018
API Selection page	Ian Lessing (Unlicensed)	API select page - fix layout (denise)
Accounts for separated employees/student	Steven Maglio	What do we do with separated employees periodic verification (quarterly, yearly) Steven Maglio Create requirements in Confluence

2018-10-19 Meeting Notes

Attendees

Goals

Discussion items

Action items