Home » Categories » Carousel

Carousel Access Rights in 7.3: what you need to know

Applies To

Carousel 7.3+


Carousel 7.3's API endpoints enforce strict authentication and authorization policies.

The endpoints can be categorized as follows:

  • Allows anonymous: anyone can call this endpoint.
  • Authenticated: a valid Carousel user must be logged in, or the proper credentials must be specified in order for this endpoint to be called successfully.
  • Authenticated and authorized: a valid Carousel user must be logged in, and that user must have the appropriate Carousel Access Rights in order to for this endpoint to be called successfully.

This article focuses on the authentication and authorization aspects of the API, and through a Q&A format tries to give as much information as possible on the subject;


Q: How do I know which Carousel Access Rights are required?

A: Open  your_servers_host/CarouselAPI/swagger/ui/index in your browser. In the top right corner, where it says api_key, enter your username:password, and press Explore. Select the endpoint you would like to know more about, then select the verb (Ex: GET). The required access rights are specified under the Access Rights section.

Please note that some of the endpoints represent a higher level of granularity/details that what is exposed in the Carousel user interface, and a typical Carousel user is assigned a Role which comes with many Carousel Access Rights. For example, performing an action such as copying a bulletin may require many different rights. It may not be easy to associate specific actions in the Carousel UI with the individual Carousel API endpoints and their required access rights.

Q: Which authorization mechanism can I use to authorize my API requests?

A: When your browser is logged into Frontdoor it uses ASP.NET's form based authentication. If you are using curl, or another script/code based tool, you may also insert your credentials in basic authorization format as part of the http header.

Q: What happens if I make a request for which I do not have sufficient access rights?

A: You will receive a 403-Forbidden error code back from the server.

Q: How can I compare the Carousel Access Rights in Frontdoor to the ones in Swagger, they're not the same?

A: Frontdoor shows each access right's friendly name while Swagger shows its actual name. Run the following TSQL query in SQL management studio to list all access rights and their friendly name:

SELECT TOP 1000 [AccessRightId]
  FROM [FrontDoor50].[dbo].[AccessRights]

Q: The Swagger doc says I need a specific permission, but when I call the endpoint it does not accept my request, why?

A: The Swagger doc is maintained by hand, and must be kept up to date by any developer making changes to the code. Please tell someone from the Carousel team so they can correct the Swagger doc!

0 (0)
Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
Can I have a separate SQL server for FrontDoor/Carousel?
Viewed 2241 times since Thu, Nov 13, 2014
Matrox Convert DVI Power Supply
Viewed 2259 times since Mon, May 4, 2015
RSS Feeds in a Crawl will not Validate with error, "The File Exists"
Viewed 466 times since Wed, Apr 4, 2018
I get an error related to "aspnet:MaxHttpCollectionKeys"
Viewed 2730 times since Thu, Jan 14, 2016
Carousel Player showing stale content or not updating
Viewed 3453 times since Mon, Sep 22, 2014
How do I adjust how often Dynamic Bulletins are rendered?
Viewed 1633 times since Wed, Nov 19, 2014
I get an error that "There is insufficient memory in resource pool "internal" to run this query."
Viewed 1806 times since Fri, Sep 11, 2015
Choosing a player
Viewed 1345 times since Fri, Sep 8, 2017