I have a query param in Azure APIM called sort that has Ascending and Descending as the "values".
What does this actually do?
I'm still able to call this endpoint and pass in values other than Ascending and Descending, and the value gets forwarded to the backend service without any issues.
This is more of a documentation/guidance and predefined values for your web Apis so the developers who use the developer portal know what the right and accepted values to be supplied there. You as an Api author has the decision of how to deal with the non-complaint values which you can enforce through the APIM policies and policy expression.
Related
I have a product published that does not requires a subscription. The 4 APIs that compose it also does not. How can I define policies on a product level?
Such policies seem to work only when both the APIs AND the product require subscription AND the request is made using the product subscription key.
Prerequisites:
API subscription switched off:
Product subscription switched off:
Product added to API:
Product has policies defined, example:
If above points are true, just call your API without Ocp-Apim-Subscription-Key header and APIM will automatically execute API and attached product policies. If you provide Ocp-Apim-Subscription-Key with correct value, like for example administrator subscription key, APIM will only execute API policies.
To reduce the frustration it is important to understand policy order execution. Read the whole article here but in short the order is:
Global scope
Product scope
API scope
Operation scope
One last thing, if non subscription product is attached to non subscription API and its policies are executed automatically, you may wonder what happens if we add second open product to the API? Policies from which product will be executed? Turns out, this is not possible (what makes sense). Attempting to add second open product will result in following error:
I am using Azure API Management to proxy requests from Internet to our backend systems. I have a Product entry on Azure Portal and an API entry associated with the product. Generally access to the API must be by subscription, but I would like the method returning OpenAPI specification (as well as probably few other methods) to be accessible without subscription (freely).
I see "Requires subscription" checkbox on the Product level as well as on API level, but not on a method's level. So I need either:
bypass subscription check for certain methods while keeping access by subscription for others, or:
same but vice versa: keep the access free for API, but enforce subscription check for certain methods (not preferable, as this fraction is greater).
I checked the list of policies and did not find anything applicable for my case. Moreover this link states:
Subscriptions can be associated with various scopes: product, all
APIs, or an individual API.
Is there a way I can workaround this limitation?
I mean that, maybe you wanna some of the methods(less amount) in an Api can be called without a subscription while the left need. And I searched the ms document but failed to find such policy.
The link you provided also intended that. From my point of view,
how about trying to add a separated Api containing those methods that
don't need subscription?
There are many policies applied to subscription, but for me requirement is to fetch the compliance only w.r.t specific initiative/policyset.
Followed this article https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data by wasn't able to that, so needed help or some pointers in fetching compliance data for specific initiative via cli or rest apis.
So solution that I have now is this: https://learn.microsoft.com/en-us/rest/api/policy-insights/policystates/summarizeforsubscription
We need to make POST request to https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/summarize?api-version=2019-10-01
Above API call returns the data for all policies applied to the subscription and there we can also list initiatives, from there we can filter specific initiative/policyset and it's compliance status.
We are trying to implement Row Level Security in Azure Data Explorer (ADX). Out of the box, ADX doesn't provide RLS. Is there any way/ workaround we can implement RLS?
We are trying out below option but no success :
Creating 2 separate databases (DbNonSecure, DbSecure)
DbNonSecure is non-secured, all the rows can be accessible by an authenticated user
DbSecure is secured database and can not be accessible by anyone except AAD APP or some other service account
From DbNonSecure, we are thinking to call functions that access data in DbSecure (using AAD APP or Service Account) and check Row Level Security.
We couldn't find a way to call functions that access data in DbSecure using ADD APP or Service Account.
Also, we know we can add a middle tier (Separate UI) to achieve this but we don't have that much time freedom to develop middle tier.
you're correct - Kusto/ADX doesn't support row level security at the moment (you can upvote the feature request # https://aka.ms/adx.uservoice)
We couldn't find a way to call functions that access data in DbSecure using ADD APP or Service Account.
AAD application authentication is a valid means of authentication to a Kusto/ADX database. There's a full guide on how to set that up here: https://learn.microsoft.com/en-us/azure/kusto/management/access-control/how-to-provision-aad-app
-> Once you've granted the required access to your AAD Application, it can be used for querying the database. Referencing stored functions is simply part of a query, and doesn't require any special setup (asides from, obviously, creating the stored function)
Side note: you may also find interest in the Restricted view access policy (it may or may not fit your requirements).
Just a heads up, ADX Row Level Security is in preview now: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/rowlevelsecuritypolicy
I am migrating a service to Azure API Management. This service is being called from mobile devices (native apps). Problem is that appending the subscription-key to the query string can take much longer for updating the app than just using it in the request headers.
So is it possible to use it there?
The subscription key can be passed either in the header or in the URL query parameter. The header is checked first. The query parameter is checked only if the header is not present. The header name is Ocp-Apim-Subscription-Key by default though you can change it; the same holds for the query parameter whose default name is subscription-key.
As an Add-on to #vladvino post. This is configurable per API. It is available in the Setting pane of the API Settings in the Azure APIM Portal.