Managing access to a data source#

Note

It is now possible to create and manage access to data sources using our Customer Portal.

Only the data provider will be able to manage such access in the Customer Portal. If the data provider and data owner are not the same organization, the data provider will need to get approval from the data owner directly (for example through an email). Support for such approval flows in the Customer Portal will be implemented at a later time.

If the data source was created using Dataporten Dashboard, the access still needs to be managed there. If you have a source that has multiple data owners, this still needs to be registered in Dataporten Dashboard at this time. See Managing access in Dataporten Dashboard.

Dataporten Dashboard will be discontinued at some point, as we are working to add all functionality to the Feide Customer Portal. Read more about the further development of the Feide Customer Portal in the news article on the Feide website.

All data sources that are available are either listed in Feide Customer Portal under the Data Source tab or in Dataporten Dashboard under the organization tab listed under API gatekeeper.

If you still need to manage access to the data source in Dataporten Dashboard, see Managing access in Dataporten Dashboard.

We recommend all new data sources be registered in Feide Customer Portal. If you experience issues with registering your data sources using the Customer Portal, please contact us at kontakt@sikt.no.

Screenshot of list of data sources

In Feide Customer Portal the data sources that the organization owns can be found in the tab “Provided by <organization name>” To manage access to the data sources, click on the data source in the list.

Screenshot of empty access control tab

Managing access to the data source can be done under the Access control tab on the data source.

In order to be shown under “All data sources” and get requests from services for access, the data source needs to be set to Public. Setting the data source to Public can be done under the Visibility tab when editing the data source.

Screenshot of access control tab with services requesting or having access

Under the Access control tab of the Data source, you can manage the access services will get to your data source. The service providers that want to connect to the data source need to get access to a minimum of one access level. This is done by the service provider requesting an access level in the Customer Portal.

A data source can have multiple access levels that grant access to different types of information available within the data source. These access level can have different authorization modes. There are two modes: Free access and Requires approval. Setting the authorization mode for an access level is done when registering or editing the data source under the tab “Access”.

If set to Requires approval the service needs approval from the data owner. If set to Free access the access will be granted automatically when requested, without the need for approval from the data owner. If the data, the source and the service have the same owner, the request is automatically approved.

Services that have access to the data source will be listed under “Services with access to the data source” on the Access control tab.

Screenshot of Access requests section of access control tab

The services waiting to get their request handled can be seen under “Access request”.

Do not leave the requests unhandled, instead decline requests from services you don’t want to grant access to.

Screenshot of access control tab with a service request expanded

Click on the name of the service listed under Access request to see which access level the service is requesting. From there you can approve or deny access to all or some of the access levels requested.

Some services will only request one access level, needing only the corresponding information. For example, if a service only needs the name of the subjects but not the grades of student in each subject. Ultimately, the data owner decides whether to approve or deny some or all access levels that the service provider has requested.

To ensure the privacy of the end users, the data owner needs to consider whether or not the service needs or should get access to the data that they have requested. Contact the service provider directly as needed (for instance by email) to clarify how data will be used.

Please ensure that any data access is covered by existing Data Processing Agreements, and if necessary revise the agreements and any associated risk assessments.

Approving access levels#

Screenshot of access control tab with Approve/Deny buttons

Click on “Approve” to the right of the access level and then confirm to approve service access.

Screenshot of access control tab with services requesting or having access

After access is approved the service wil be listed under “Services with access to the data source.”

Click on the name of a service to see what access level(s) the service has.

Denying access level#

Screenshot of access control tab with Approve/Deny buttons

Click on “Deny” to the right of the access level and then confirm that you want to deny the service the access level requested.

Screenshot of access control tab with services requesting or having access

If you deny an access level request, it will disappear from the list. If denying access was done by mistake, the service provider will need to submit the request again.

It can be useful to contact the service provider when denying requests, giving a reason as to why the service was denied access. This must be done outside of the Customer Portal, for example through email.

You can revoke access after granting it if you think the service should no longer retrieve the information.

If you revoke access, contact the service provider, since revoking access to information may affect the service adversely. So, make sure the service providers are informed about the revocation and have had time to adjust.

Screenshot of access control tab with services requesting or having access

To revoke access to the data source for a service, go to the data source and then to the Access control tab.

Under “Services with access to the data source”, click on the name of the service.

Screenshot of access control tab with Revoke access button

Click on “Revoke access” to the right of the access level and then confirm to revoke access.

When you revoke access the service will disappear from the list under “Services with access to the data source”.

Screenshot of access control tab with revoked service no longer shown

Managing access in Dataporten Dashboard#

Note

Requesting access to data sources that have been registered using Dataporten Dashboard must be done from Dataporten Dashboard. Dataporten Dashboard should only be used for data sources that are already registered in Dataporten Dashboard until the data provider registers them in the Customer Portal.

All new data sources should be registered and managed in the Feide Customer Portal

Login to Dataporten Dashboard If you are registered as an administrator in the Feide customer portal, you will be able to log in to Dataporten dashboard with the same credentials.

In order for your API to be listed publicly for other organizations to use, it needs to checked as a Public API in the Basic info tab of the dashboard.

When client owners register new clients, they will find your third party APIs on the dashboard on a separate tab.

Depending on your policy, new clients may be automatically granted access to your API, or they will appear in a moderation queue for you at the dashboard.

In the dashboard, the API owner can moderate access to clients on the «Requests» and «Applications» tabs. OIDC services that are registered in the Feide Customer Portal get synchronized to Dataporten Dashboard, so you don’t need to register a new service to create or use data sources.

API owners who would like to automatically allow clients to access their APIs may configure this on the «Permissions» tab in the dashboard. (see below)

Screenshot of Permissions tab of apigk definition in dashboard

Managing access by subscope#

A client is required to have the primary scope in order to access the API at all.

An API owner may configure any number of additional subscopes that have an independent moderation queue, allowing clients to e.g. be automatically assigned the primary scope, but need moderation to access clientonly or write scopes.

Managing access by organization#

If you uncheck the Auto-accept checkbox in the Organization Accept Policy on the permissions page, you may select which organizations’ users will be able to log in to applications which use your API.

Screenshot showing Organization accept policy in dashboard

Press the Target organizations: Select button. A new page appears where you can select the organizations which should have access. When you are done, scroll down to the bottom and press Set organizations. Finally, press Save changes on the permissions page.

Screenshot of Select a set of organizations form

Auto-accept can be set separately for the primary scope and each subscope. The set of target organizations will be the same for all scopes having auto-accept turned off.

Before users will be able to log in, the host organization’s administrator will have to approve the application and API. See Managing access to data.