Home » Categories » Carousel

Carousel Access Rights in 7.3: what you need to know

Applies To

Carousel 7.3+


Carousel 7.3's API endpoints enforce strict authentication and authorization policies.

The endpoints can be categorized as follows:

  • Allows anonymous: anyone can call this endpoint.
  • Authenticated: a valid Carousel user must be logged in, or the proper credentials must be specified in order for this endpoint to be called successfully.
  • Authenticated and authorized: a valid Carousel user must be logged in, and that user must have the appropriate Carousel Access Rights in order to for this endpoint to be called successfully.

This article focuses on the authentication and authorization aspects of the API, and through a Q&A format tries to give as much information as possible on the subject;


Q: How do I know which Carousel Access Rights are required?

A: Open  your_servers_host/CarouselAPI/swagger/ui/index in your browser. In the top right corner, where it says api_key, enter your username:password, and press Explore. Select the endpoint you would like to know more about, then select the verb (Ex: GET). The required access rights are specified under the Access Rights section.

Please note that some of the endpoints represent a higher level of granularity/details that what is exposed in the Carousel user interface, and a typical Carousel user is assigned a Role which comes with many Carousel Access Rights. For example, performing an action such as copying a bulletin may require many different rights. It may not be easy to associate specific actions in the Carousel UI with the individual Carousel API endpoints and their required access rights.

Q: Which authorization mechanism can I use to authorize my API requests?

A: When your browser is logged into Frontdoor it uses ASP.NET's form based authentication. If you are using curl, or another script/code based tool, you may also insert your credentials in basic authorization format as part of the http header.

Q: What happens if I make a request for which I do not have sufficient access rights?

A: You will receive a 403-Forbidden error code back from the server.

Q: How can I compare the Carousel Access Rights in Frontdoor to the ones in Swagger, they're not the same?

A: Frontdoor shows each access right's friendly name while Swagger shows its actual name. Run the following TSQL query in SQL management studio to list all access rights and their friendly name:

SELECT TOP 1000 [AccessRightId]
  FROM [FrontDoor50].[dbo].[AccessRights]

Q: The Swagger doc says I need a specific permission, but when I call the endpoint it does not accept my request, why?

A: The Swagger doc is maintained by hand, and must be kept up to date by any developer making changes to the code. Please tell someone from the Carousel team so they can correct the Swagger doc!

0 (0)
Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
Carousel - Advanced Tweet Criteria
Viewed 1232 times since Thu, Sep 28, 2017
Resource25 / 25Live Calendars in Carousel 7.0
Viewed 2061 times since Fri, Jun 16, 2017
Using Dean Evans EMS as a Data Source in Carousel 7.3+
Viewed 663 times since Tue, Apr 3, 2018
How to perform a system database migration
Viewed 2420 times since Thu, Jul 30, 2015
My weather isn’t updating in Carousel
Viewed 3298 times since Mon, Sep 22, 2014
Carousel 7.3.0 Released
Viewed 846 times since Fri, May 11, 2018
Where are the Carousel installer log files located?
Viewed 1305 times since Mon, Oct 17, 2016
How do I backup my Carousel server?
Viewed 3920 times since Mon, Sep 22, 2014
Carousel 7.3.1 Released
Viewed 649 times since Tue, May 22, 2018