API ownership

Traceable provides you an option to create API owners for every discovered API. Assigning an owner to an API helps to identify the person or team who had developed the API or is responsible for maintaining or updating it. For example, as a security analyst, you find a vulnerability in an API and wish to file a JIRA ticket to the API owner; in such a case, knowing the API owner helps to assign the JIRA to the correct owner. You can associate one or more than one owner with an API. 

Assigning an owner to the API requires using Traceable's GraphQL APIs. You can configure the ownership for an individual API, or you can configure for all the APIs in a service. To assign the API ownership, complete the following steps:

1. Create the owner attribute.
2. Identify the API or service ID.
3. Assign the API ownership.
4. Verify that the ownership is assigned.

Once you have created the owner attribute and assigned API ownership, you can filter the API Endpoints based on the attribute. The following screenshot shows results filter based on an ownership attribute. 

Step 1 – Create the owner attribute (optional)

To create an owner attribute, use Traceable's GraphQL API. For more information on setting up a client and using Traceable's API, see Public APIs. Make sure that you have the account owner RBAC role to create a new owner attribute. For more information on RBAC, see Teams and roles.

Use the following to create an owner attribute:

mutation CreateAttribute {
  createAttribute(
    attributeMetadataInput: {
      displayName: "DevOps Owner"
      identifier: { key: "dev-ops-owner", scope: "API" }
      type: STRING_ARRAY
    }
  ) {
    displayName
    name
    scope
    type
  }
}

• The displayName is the name that you wish to assign to the attribute. In the above example, an attribute with the name DevOps Owner would be created.
• You can use STRING, instead of STRING_ARRAY if you wish to create a single value attribute. For example, in the above snippet, STRING_ARRAY is used. Using this you can assign multiple values to the attribute, for example, abc@mycompany.com, xyz@mycompany.com and so on.

Once you have created the new attribute, wait for a few minutes for the change to reflect in the Traceable UI and the Traceable platform. A minimum interval of 5 minutes is recommended before proceeding to the next step. Navigate to API Catalog > API Endpoints to view the attributes.

Step 2 – Assign ownership

To assign ownership to an API, you need to fetch the API ID. You can fetch the API ID from your browser's URL. For example, in the screenshot below, the API ID of the API POST /order is c1c05edb-7fea-37b0-a7b4-94e9b52fbe97. Make sure that you have the Security Analyst, Security Admin, or Account owner RBAC role to assign API ownership. For more information on RBAC, see Teams and roles.

Similarly, you can also fetch the service ID. Navigate to API Catalog > Services. Click on the service name that you wish to use to assign ownership to APIs. Copy the service ID from the URL as shown below.

Use the API ID in the following GraphQL query to assign ownership to the API:

mutation Set_owner_using_API_ids {
  bulkUpdateEntities(
    input: {
      filterType: ID
      ids: [
        "0683697d-1a5e-37a4-8b73-951027f6d7fe"
        "1dfd01bc-9c4f-34e6-8f33-ca7ffb61b7cb"
      ]
      operation: {
        operationType: SINGLE_VALUED_ATTRIBUTE_SET_OPERATION
        singleValuedAttributeSetOperation: {
          key: "dev-ops-owner"
          value: "abc@mycompany.com"
        }
      }
      type: "API"
    }
  ) {
    updatedCount
  }
}

In the above example:

• Substitute the API ID in the id section.
• Two APIs are assigned to the key dev-ops-owner with the attribute display name as DevOps Owner from the Step 1.
• E-mail ID abc@mycompany.com has been assigned to the attribute. This means that, abc@mycompany.com, is the owner of the two APIs.

Verify that ownership was assigned

To verify that the ownership was assigned correctly, navigate to API Catalog > API Endpoints. Click on the Ownership attribute section to view whether the new ownership attribute is visible. You can then filter the API Endpoints based on the owner value that you assigned in step 2.

Miscellaneous API ownership operations

Following are the miscellaneous API ownership operations that you can carry out.

Assign ownership of all API Endpoints under a service

Use the following GraphQL query to assign ownership to APIs under a service. You can fetch the service ID as elaborated in step 2.

mutation Set_owner_using_service_id {
  bulkUpdateEntities(
    input: {
      filterType: ATTRIBUTE
      filters: {
        key: "serviceId"
        operator: EQUALS
        value: "6dfd8560-4767-38f4-9cd1-6769be68929e"
      }
      operation: {
        operationType: SINGLE_VALUED_ATTRIBUTE_SET_OPERATION
        singleValuedAttributeSetOperation: {
          key: "owner"
          value: "bob@mycompany.com"
        }
      }
      type: "API"
    }
  ) {
    updatedCount
  }
}

In the above example:

• All the APIs under serviceId 6dfd8560-4767-38f4-9cd1-6769be68929e would be assigned to owner attribute with value bob@mycompany.com. This means that all the APIs under the mentioned serviceId would have bob@mycompany.com as the owner.
• RBAC roles – The RBAC roles that can execute this operation are Security Analyst, Security Admin, and Account Owner.

Remove API ownership using API Endpoint IDs

Use the following GraphQL query to remove ownership to APIs.

mutation Remove_owner_using_API_ids {
  bulkUpdateEntities(
    input: {
      filterType: ID
      ids: [
        "0683697d-1a5e-37a4-8b73-951027f6d7fe"
        "1dfd01bc-9c4f-34e6-8f33-ca7ffb61b7cb"
      ]
      operation: {
        operationType: ATTRIBUTE_UNSET_OPERATION
        attributeUnsetOperation: { key: "owner" }
      }
      type: "API"
    }
  ) {
    updatedCount
  }
}

In the above example:

• The ownership of two APIs is being removed.
• RBAC roles – The RBAC roles that can execute this operation are Security Analyst, Security Admin, and Account Owner.

Remove owner of all API Endpoints under a service

Use the following GraphQL query to remove ownership to all the APIs under a service:

mutation Remove_owner_using_service_id {
  bulkUpdateEntities(
    input: {
      filterType: ATTRIBUTE
      filters: {
        key: "serviceId"
        operator: EQUALS
        value: "6dfd8560-4767-38f4-9cd1-6769be68929e"
      }
      operation: {
        operationType: ATTRIBUTE_UNSET_OPERATION
        attributeUnsetOperation: { key: "owner" }
      }
      type: "API"
    }
  ) {
    updatedCount
  }
}

• In the above example, the ownership of all the API Endpoints under the service with serviceId 6dfd8560-4767-38f4-9cd1-6769be68929e is removed.
• RBAC roles – The RBAC roles that can execute this operation are Security Analyst, Security Admin, and Account Owner.

Adding owner to multivalued owner attribute

Use the following GraphQL query to add owners to a multivalued owner attribute:

mutation Add_owner_to_multi_valued_attribute_using_API_id {
  bulkUpdateEntities(
    input: {
      filterType: ID
      ids: ["0683697d-1a5e-37a4-8b73-951027f6d7fe"]
      operation: {
        operationType: MULTI_VALUED_ATTRIBUTE_OPERATION
        multiValuedAttributeOperation: {
          key: "dev-ops-owner"
          type: ADD
          values: ["charlie@mycompany.com", "david@mycompany.com"]
        }
      }
      type: "API"
    }
  ) {
    updatedCount
  }
}

In the above example:

• Two owners charlier@mycompany.com and davi@mycompany.com have been assigned to the API Endpoint with ID 0683697d-1a5e-37a4-8b73-951027f6d7fe.
• RBAC roles – The RBAC roles that can execute this operation are Security Analyst, Security Admin, and Account Owner.

Remove an owner from a multivalued owner attribute of an API Endpoint

Use the following GraphQL query to remove an owner:

mutation Remove_owner_to_multi_valued_attribute_using_service_id {
  bulkUpdateEntities(
    input: {
      filterType: ATTRIBUTE
      filters: {
        key: "serviceId"
        operator: EQUALS
        value: "6dfd8560-4767-38f4-9cd1-6769be68929e"
      }
      operation: {
        operationType: MULTI_VALUED_ATTRIBUTE_OPERATION
        multiValuedAttributeOperation: {
          key: "dev-ops-owner"
          type: REMOVE
          values: ["charlie@mycompany.com"]
        }
      }
      type: "API"
    }
  ) {
    updatedCount
  }
}

In the above example:

• charlie@mycompany.com is removed as an owner from all the API Endpoints that are associated with serviceId 6dfd8560-4767-38f4-9cd1-6769be68929e.
• RBAC roles – The RBAC roles that can execute this operation are Security Analyst, Security Admin, and Account Owner.

Delete owner attribute

Use the following GraphQL query to delete the owner attribute:

mutation DeleteAttribute {
  deleteAttribute(
    attributeIdentifierInput: { key: "dev-ops-owner", scope: "API" }
  ) {
    success
  }
}

• In the above example, the owner attribute DevOps Owner that we created earlier is removed.
• RBAC roles – The RBAC role that can execute this operation is Account Owner.
• It may take a few minutes for the change to reflect in the Traceable UI.

Rename the display name of the owner attribute

You can rename an already existing owner attribute using the GraphQL API. 

mutation UpdateAttribute {
  updateAttribute(
    attributeUpdateInput: {
      identifier: { key: "dev-ops-owner", scope: "API" }
      displayName: "Operations Owner"
    }
  ) {
    displayName
    name
    scope
    type
  }
}

• In the above example, a new display name has been assigned to DevOps Owner. The new name is Operations Owner.
• RBAC roles – The RBAC role that can execute this operation is Account Owner.
• It may take a few minutes for the change to reflect in the Traceable UI.