Privileged API Clients

Introduction

A privileged API client is required when an application needs to access APIs protected by OAuth without the delegated authority of an end user. A privileged API client uses the OAuth client credentials grant flow to obtain an Access Token.

IBM Security Verify's own APIs are protected with OAuth and so creating an API Client is the way that an application is granted authority to call privileged IBM Security Verify functions. The specific permissions granted to an API client are set as part of the client definition.

🚧

Don't overuse privileged API clients

Most permissions can be granted to a privileged API client but it is better for security to use an application API client that relies on delegated user authority. This limits the impact of lost (or misused) client credentials. Where possible, use privileged API clients only for operations performed when no user is logged in.

Operations requiring privileged access

User registration

The most common privileged operation is the creation of new user accounts. An application that provides self-service account creation will require a privileged API Client that has the "Manage users and standard groups" permissions. This will allow it to create users using the Verify SCIM interface.

💎

Jon Harry, IBM Security