Skip to main content Link Menu Expand (external link) Copy Copied
Ons API

Using Authorization APIs

The authorization APIs can only be used with rights linked to a version of a connector - see also Using Ons Autorisatie. For the technical specification of the APIs, see Authorization APIs.

There are two ways in which the authorization APIs can be used:

  • determine the scope of a user
  • determine whether a user has clearance for a specific client

Determining the scope of a user

Calling the scope APIs (/t/authorization/scope_for_user and /t/authorization/scope_for_employee) will return the scope of a user or employee. This means: the response of the API call will contain a list of all clients that an employee may access in the context of the provided right.

An example call for both APIs:

  • /t/authorization/scope_for_user?user_id=123&right=ClientReportsView
  • /t/authorization/scope_for_employee?employee_id=123&right=ClientReportsView

The response will contain two fields describing the scope of the user or employee:

  • all: a boolean, which is set to true when the employee may access all clients in the context of the given right
  • clientIds: a list of client ids that the employee may access. This will be empty if all is true

Requesting a non-existant right, or requesting a right that is not linked to the version of the connector, will yield 404 response.

Determining the clearance of a user for a specific client

When calling the clearance APIs, an authorization check will be performed for a specific client. Three query parameters are needed:

  • user_id or employee_id, depending on the API
  • client_id
  • right

Two example calls:

  • /t/authorization/clearance_for_user?user_id=123&client_id=456&right=ClientReportsView
  • /t/authorization/clearance_for_employee?employee_id=123&client_id=456&right=ClientReportsView

The response will contain a single field, active, which is set to true when the user or employee is allowed to access the specific client in the context of that specific right.