Web Services API security settings
This article describes the security settings you can configure to grant or restrict access to the Autotask Web Services SOAP API and the Autotask REST API. It also documents the settings of the system security levels in your Autotask instance.
System security levels are not editable, but you can make copies and edit them to create custom security levels. Refer to:
Overview
Web Services API permissions give you the ability to control which user groups can access the Autotask Web Services SOAP API and the Autotask REST API. It also defines what actions they can take when interacting with the API.
Settings
About this setting
This permission applies only to API versions 1.5 and earlier. Access to version 1.6 and later is limited to API User security levels. When you make a copy of the System Administrator (system) security level, this setting is enabled. You can uncheck this setting, but once you have done so and saved the security level, you cannot recheck the setting.
The listed settings are enabled by default for the following system security levels:
About this setting
This setting controls whether resources with this security level can be impersonated via the API.
Security Level | Permission |
---|---|
All system security levels |
This setting is cleared by default for all security levels. |
IMPORTANT API Only security levels do not support impersonation.
The Resource Impersonation section appears for all security levels. Its available options differ depending on whether or not the selected security level is API Only.
Impersonation allows API users to add and edit items on behalf of another resource.
Non-API security levels
For non-API security levels, the only option that will appear is Allow impersonation of resources with this security level. When you enable this setting, API Only users will be able to impersonate the resources in the selected security level.
API Only security levels
For API Only security levels, you'll see the following resource impersonation options.
Individually select the entities and actions for which the API user will have View (Query), Add, and Edit (Update) permission. For bold items, you can additionally configure Delete permission. The check boxes next to each setting are disabled and cleared if Can login to Web Services API is cleared, and default to cleared if the setting is enabled.
- Contract Notes
- Organizations
- Contacts
- Opportunities & Quotes
- Sales Orders
- Notes
- To-Dos
- Devices & Subscriptions
- Device Notes
- Inventory Locations
- Inventory Items
- Purchase Orders
- Products
- Product Notes
- Projects
- Project Notes
- Task Notes
- Tickets
- Ticket Notes
- Service Calls
- Attachments
- Time Entries
IMPORTANT The security level of the impersonated resource must be configured to allow impersonation, and the impersonated resource must have permission to perform the action as configured in the other sections on the Edit Security Level page. The Time Entry check boxes are also subject to proxy time entry security.
Two additional settings are available to API users:
Setting | Description |
---|---|
Can approve Time Off Requests (using impersonation) |
This setting allows you to enable impersonation for time off request approval by API users with this security setting. |
Can reject Time Off Requests (using impersonation) |
This setting allows you to enable impersonation for time off request rejection by API users with this security setting. |
Contact Impersonation enables API users to add specific items to Autotask on behalf of a contact. The contact being impersonated must have permission to perform the action, and the API user must have permission to impersonate the security level to which the contact belongs.
Items created by an API user with contact impersonation permissions will be attributed to the impersonated contact. If the API user does not have the required impersonation permissions, the author will appear as "API User."
To determine if an item was created via impersonation, you can review its entity history. If the Action Performed By column lists a value that differs from the attributed author, that action was completed through impersonation.
The Resource Impersonation section controls resource and contact impersonation for all security levels except for API Only. For non-API users, it has one option that is not enabled by default.
Security Level | Options |
---|---|
Non-API |
Allow impersonation of resources with this security level |
For API Only security levels, you'll instead see a dedicated Contact Impersonation section with the following options. They are not enabled by default.
NOTE Enabling these settings will permit API Only users to impersonate contacts when performing the indicated tasks.
Security Level | Options |
---|---|
API Only |
Projects: Add Project Notes, Add Task Notes |
Service Desk: Add Tickets, Add Ticket Notes |
|
Other/Shared: Add Attachments |
IMPORTANT The security level of the impersonated contact must be configured to allow impersonation, and the impersonated contact must have permission to perform the action as configured in the other sections on the Edit Security Level page.
Additional Resources
- Contract security settings
- CRM security settings
- Inventory security settings
- Project security settings
- Service Desk security settings
- Knowledge Base and Documents security settings
- Timesheet security settings
- Report security settings
- Admin security settings
- Other security settings
- Web Services API security settings