Version 25.3.9411

• Parameters
• Control Attributes
• Examples
• See Also

Use the api:restrict keyword to restrict access to a service based on users and roles. This restriction is in addition to any restrictions that you might enforce using ASP.NET.

If you add api:restrict to your script, only the users or roles specified are able to use the service.

api:restrict can control access based on the following:

• The specific user trying to execute the feed.
• Whether the user is a member of a specified security role, where a role maps to the roles defined by the ASP.NET authentication and authorization configuration.

You can have multiple api:restrict statements in a single script. They are evaluated with the logical OR operator.

Parameters

• user: A comma-separated list of usernames. All users specified on the list have access to the feed. If you have Windows Integrated Authentication, you must ensure that usernames are domain- or machine-qualified (for example, “DOMAIN\username”).
• role: A comma-separated list of role names. Any user in at least one of the specified roles has access to the feed.
• authtoken: A comma-separated list of authtokens for users authorized to access the script. The authtoken can be supplied in HTTP Basic authentication, the x-cdata-authtoken header, or the @authtoken in the form-post data. If AllowtokeninURL is set in settings.cfg, @authtoken can also be provided in the query string.
• visibility: Setting the visibility to local makes the script inaccessible directly from HTTP. However, you can still invoke the script through another script.

Control Attributes

None

Examples

Grant access only to the tomk and jdoe users:

<api:restrict user="newton\jdoe,newton\tomk"/>

Grant access only to users in the FeedConsumers role:

<api:restrict role="FeedConsumers"/>

See Also

• api:call: Call scripts, operations, or feeds.