Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

As a developer, we have to secure the exposed endpoints (APIs) according the desired permission rules.

openIMIS backend is configured with 2 authorizations layers:

  • the django default (basic) permissions mechanism
  • the RBAC ‘django-rules’ extensions

If any of the 2 layer grants the access, the access is given to the user.


openIMIS endpoints can be:

  • django straight ‘views’ endpoints
  • django-rest-framework endpoints (recommended)


The django straight ‘views’ endpoints must be explicitly defined by the developers (please refer to https://docs.djangoproject.com/en/2.1/topics/security/ )


The django-rest-framework, however, has been configured to enforce the default (type-based) django permissions mapping: GET on <module>.view_<model>, POST on <module>.add_<module>,...


For finer grained security (object-level) the django-rules module has been configured and is readily available for use (declaring predicates,...).

  • No labels

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/