Security Enhancement for OData Queries

The security enhancement for OData queries focuses on system integrations with Anthology Student APIs. Integrations use Commands, REST services, and OData endpoints. Previously, all OData endpoints (queries) were available to any authenticated user. If users (even API users) were authenticated, they had full access to all the queries. This enhancement secures access to OData endpoints in the Query Model in the same manner as in the Command Model APIs. If a user, outside of the Anthology Student UI, attempts to access a Query Model to which they have no access, the controller will respond with a status "401 Unauthorized".

The OData endpoint security enhancement takes effect with the following releases:

  • Anthology Student 21.2.0

  • Faculty Workload Management (FWM) 1.2.0

  • Financial Aid Automation (FAA) 8.2.0

  • Regulatory 12.2.0

OData Query Authorization

In prior versions of these products, once a user (or 3rd party) was authenticated in Anthology Student, all OData endpoints were available for use and all OData queries were available. Access to the Query Model was not restricted via NetSqlAzMan (NSA) in the Security Console.

The OData endpoint security enhancement establishes NSA authorization for the Query Model by adding all Query Model entities to the NSA configuration file. All query operations in NSA are contained in the new Task "All Query Operations" in the Security Console. For backward compatibility, the Task “All Query Operations” has been assigned to the CMC System Administrators Role. This task needs to be added to any other additional roles where backward compatibility is desired. Individual organizations can create custom tasks from the operations added to the model as needed and assign them to roles as required.

With this enhancement, access to queries is restricted and query operations for each entity are added. Examples of the query operations include:

  • Academics.Course.Query

  • Common.Student.Query

  • Crm.DocumentType.Query

The naming pattern for query operations is <Module>.<Entity>.Query

Users executing OData queries will either need a QueryToken (cookie) provided by the Anthology Student UI or authorization granted in NSA for specific Query Model entities requested in the query.

Note: Users logging in via Anthology Student will not be affected by this change. Access to the various areas of the application continues to be controlled via the Tasks assigned in the Security Console.

The enhancement requiring OData query authorization may impact the following audiences:

  • Partners doing integrations with Anthology Student

  • Clients who have already leveraged this ability in prior versions of the product

  • Client implementations that use custom logic created by our Professional Services team

  • Professional Services teams working on integration projects

Configure OData Query Authorization

When you begin working with Anthology Student version 21.2 or any of the other product versions above, you need to go into your Security Console and either:

  • Grant everyone who needs access to this capability the Task All Query Operations. This is not the recommended approach but mirrors existing functionality.

    Anthology Student Security Console

    Note: The "All Query Operations " Task is not assigned to the Anthology System Administrators Role. The administrator Role (Group) already has an “All Operations” Task that includes the new query operations. This is done automatically.

    — OR —

  • Build custom tasks for groups/roles and grant them access to the query operations they need. Query operations would then be added to Tasks as necessary. You can filter the operations and entities to create custom tasks. This is the recommended long-term approach.

    One Task which includes all of the Operations could be added, for example, "System.Query.All" or similar. This would enable the same behavior that is currently provided for users of the Anthology Student UI who currently have access to all entries in the OData Query Model.