Security Administration: Create Client ID/Certificate and Assign Scopes

Note: This section applies to self-hosted customers or Wolters Kluwer hosted customers being set up within a CT environment. Hosted users in Production should contact Customer Support to obtain their certificate.

Pre-Steps

Identify all accounts that require authorization to use Integration APIs for these applications and the specific access required (scope).

If EZ Config Integration APIs are used within an Integration workflow, the most secure approach is to create a client ID and certificate with the read scope for each customer’s account, which restricts data access to only that account when used for authentication in API requests. When calling these APIs for a given customer, each customer’s certificate is used to obtain the token for authentication for the API request.

If the partner’s support staff uses the Document Generation Service (DGS) ToolSuite to execute the Expere EZ Config Transaction API, the Super User (SU) scope is required for that API. A general integration account may be created for this purpose with a client ID/certificate created along with the Super User scope set (scope=wk-ezcfg-def-data-su).

Note: For a given account, a single client ID and client secret certification can be created and used for multiple applications. Additionally, multiple scopes for multiple applications can be set.


Application	Scope Name	Description
EZ Config Packages and Packets	wk-ezcfg-pkg-pkt-read	Read access to EZ Config Packages and Packets Integration APIs. The APIs requesting a token with the read scope will return data only for that account. Accessing other accounts' data using a read scope will result in 403-Forbidden status code.
EZ Config Packages and Packets	wk-ezcfg-pkg-pkt-su	Super User (SU) access to EZ Config Packages and Packets Integration APIs. The APIs requesting a token with the super user scope will return data for any account requested.
EZ Config Default Data	wk-ezcfg-def-data-read	Read access to EZ Config Default Data Integration APIs. The APIs requesting a token with the read scope will return data only for that account. Accessing other accounts' data using a read scope will result in 403-Forbidden status code.
EZ Config Default Data	wk-ezcfg-def-data-su	Used for two purposes: Super User (SU) access to EZ Config Default Data Integration APIs. The APIs requesting a token with the super user scope will return data for any account requested. To use the Document Generation Service (DGS) ToolSuite to execute the Expere EZ Config Transaction API.
Document Generation Service (DGS) Core	wk-dgs-core-read	Read access to Document Generation Services Management Services APIs. The APIs requesting a token with the read scope will return data only for that account. Accessing other accounts data using a read scope will result in 403-Forbidden status code. (Example API: DGS Core Request Aliases)