Impersonate a User with REST API
Learn how user impersonation transforms REST API calls, and why you would need to do it
This post delves into the concept of user impersonation when utilizing REST APIs in EPM applications. User impersonation allows the execution of API calls on behalf of a specific user, regardless of who is running the script that initiates the call.
Impersonate a User
Read the post Leveraging REST APIs in EPM Applications to see how we can create a connection. The connection is retrieved using the named connections that are created in the EPM applications that already have the authentication and optionally the headers/parameters configured.
Using the configured connection, the REST API is called using the credentials saved in the connection and that means the call is from the saved user, not the user who may be executing the script that calls the REST API.
The Connection class offers the impersonate function that allows you to set the user that the connection object will impersonate.
impersonate(User user)
impersonate(String userName)
Use Cases for Impersonate
In most cases the REST API call being executed using the configured credentials of the connection versus the actual user may not be an issue.
Executing a script that has to be executed on behalf of the user and not the connection’s configured user
Executing a script that sets User Variables
Ensuring the security is applied to the user where the connection’s configured user might be an admin user
Using Impersonate in Your Code
I have created a simple script that just outputs the name of the calling user.
/*RTPS:*/
if (operation.hasUser()) {
println(operation.user.name)
}In another script we will call this using the default user of the connection and then another call using impersonate.
/*RTPS:*/
def payload = new JSONObject()
.put("jobType","Rules")
.put("jobName","Output Username")
.toString()
HttpResponse<String> jsonResponse
jsonResponse = operation.application.getConnection("LOCAL").post("HyperionPlanning/rest/v3/applications/EPBCS/jobs").body(payload).asString()
println(jsonResponse.status)
println(jsonResponse.body)
jsonResponse = operation.application.getConnection("LOCAL").impersonate("shehzad").post("HyperionPlanning/rest/v3/applications/EPBCS/jobs").body(payload).asString()
println(jsonResponse.status)
println(jsonResponse.body)We call the “Output Username” rule twice, using impersonate for the second call.
Before running this, ensure that the other user you want to impersonate is provisioned to run the target script (Output Username in our case).
As an admin, I can see the job log that shows all rules that have been executed.
Logging in as 'shehzad', I can see the rule in the job log.
Summary
In this post, we have seen
how to impersonate a user
some use cases where this can be helpful
an example script to show how it works