Authentication and Authorization
Overview
Security is engineered into the web service level. All access to the system is secure, especially at the API level. To call the web service for an Infinity-based application:
- You must be an authenticated user in that application.
- You must be granted security permission to the feature being used.
- If record-level security is enabled (site security, constituent security, etc), you must have security permission to the record itself.
Trusted Subsystem Pattern
A popular pattern used to access Infinity data via a Web API is the Trusted Subsystem pattern. To satisfy requirement #1 above, calls to the Blackbaud CRM/ResearchPoint web service will be made using the credentials of a user account specifically created for this purpose (not to be confused with the user who is seeing the web page). That user account will be added to a System Role in BBEC that has been granted permission to use the feature such as the “Constituent Summary Profile View Form” feature (this satisfies security requirement #2). For this example, assume record-level security is disabled so requirement #3 is met – if it were enabled, we would simply need to use a constituent record for which we had access.
Tip: To see a PHP tutorial of the Trusted Subsystem Pattern in action, see Accessing Infinity/BBEC via PHP.
Tip: To learn more about granting permission to a feature see: Add Features to Infinity System Role
You need to authenticate against IIS/Active Directory. The AD account is lined to an application user within the database.
The software developer needs a username and password to authenticate against the IIS Server that houses the Infinity application. For ResearchPoint and selected Blackbaud CRM customers, the IIS Server is hosted by Blackbaud. While other Blackbaud CRM customers host their own installation, in most cases the IIS Server is configured to retrieve the domain name on the server side. If not, you need to provide the domain name in your credentials along with the username and password. For installations hosted by Blackbaud, your Blackbaud Professional Services technical representative can provide you with these credentials. An application user with system administrator rights in the application can create a new Microsoft Windows Active Directory (AD) account that is linked to an application user within the application using the administration features of the product. Customers do not have system administrative rights in a hosted scenario. Therefore, Blackbaud must create AD accounts and application users on their behalf.
Or you can authenticate with a proxy user that is an application user in the database. The software developer needs a proxy user username and PAT to authenticate against the Infinity application database. Proxy users can access the AppFxWebService.asmx, vpp/bizops, and util/Datalist endpoints that can be created by ResearchPoint and Blackbaud CRM customers. Application users with permissions can create proxy users in the application using the product administration features.