Happy Business Starts Here

API User Best Practice

Highlighted
Zuora Alumni

API User Best Practice

What are the Best Practices for configuring and using API users?



If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Zuora Alumni

Re: API User Best Practice

The API User role is meant for systems making API calls to Zuora and should never be used to log into the UI

 

Many API applications require some sort of elevated permissions and having a single user / profile usually ends up having most (if not all) access.  This is increasing the scope of access unnecissarily should someone, or some system, get unintended access to the api login.

 

Here are some best practice guidlines to help limit and segment access

 

Have a separate API User for each integration

 

Create a API user for each integration and include it as a managed/controlled asset

 

This limits access scope within Zuora to that particular application, and further limits edge cases like one system locking out another.

 

If someone inadvertently/accidentally attempts to log in as the API user, a pw expiration will immediately occur and the API User will be locked out.

 

Have different profiles for different domains

 

Separate the scope/domain that a particular API user can be used for with profiles.

 

One (of many) schemes is to create profiles for your organizations access domains

 

For example:

 

  • QA
  • Development
  • Staging
  • UAT
  • Production

Seaprate profiles will allow you to set different white lists

 

White Listing IPs

 

This controls where the API user will be allowed to log in from

 

This will help avoid accidental logins, logins from systems with expired credentials, and also help prevent malicious login attempts

 

Security Best Practices

 

Of course your organization should follow security best practices, and not limit those practices to API users

 

All user accounts (especially Admin accounts) should be included in your change control and managed as you would any other critical system component/asset.

 

We'd love to hear about how you have dealt with this in your organization or the challenges you have faced



If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √

View solution in original post

1 REPLY 1
Highlighted
Zuora Alumni

Re: API User Best Practice

The API User role is meant for systems making API calls to Zuora and should never be used to log into the UI

 

Many API applications require some sort of elevated permissions and having a single user / profile usually ends up having most (if not all) access.  This is increasing the scope of access unnecissarily should someone, or some system, get unintended access to the api login.

 

Here are some best practice guidlines to help limit and segment access

 

Have a separate API User for each integration

 

Create a API user for each integration and include it as a managed/controlled asset

 

This limits access scope within Zuora to that particular application, and further limits edge cases like one system locking out another.

 

If someone inadvertently/accidentally attempts to log in as the API user, a pw expiration will immediately occur and the API User will be locked out.

 

Have different profiles for different domains

 

Separate the scope/domain that a particular API user can be used for with profiles.

 

One (of many) schemes is to create profiles for your organizations access domains

 

For example:

 

  • QA
  • Development
  • Staging
  • UAT
  • Production

Seaprate profiles will allow you to set different white lists

 

White Listing IPs

 

This controls where the API user will be allowed to log in from

 

This will help avoid accidental logins, logins from systems with expired credentials, and also help prevent malicious login attempts

 

Security Best Practices

 

Of course your organization should follow security best practices, and not limit those practices to API users

 

All user accounts (especially Admin accounts) should be included in your change control and managed as you would any other critical system component/asset.

 

We'd love to hear about how you have dealt with this in your organization or the challenges you have faced



If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √

View solution in original post