Home » Categories » Carousel

Carousel Access Rights in 7.3: what you need to know

Applies To

Carousel 7.3+


Carousel 7.3's API endpoints enforce strict authentication and authorization policies.

The endpoints can be categorized as follows:

  • Allows anonymous: anyone can call this endpoint.
  • Authenticated: a valid Carousel user must be logged in, or the proper credentials must be specified in order for this endpoint to be called successfully.
  • Authenticated and authorized: a valid Carousel user must be logged in, and that user must have the appropriate Carousel Access Rights in order to for this endpoint to be called successfully.

This article focuses on the authentication and authorization aspects of the API, and through a Q&A format tries to give as much information as possible on the subject;


Q: How do I know which Carousel Access Rights are required?

A: Open  your_servers_host/CarouselAPI/swagger/ui/index in your browser. In the top right corner, where it says api_key, enter your username:password, and press Explore. Select the endpoint you would like to know more about, then select the verb (Ex: GET). The required access rights are specified under the Access Rights section.

Please note that some of the endpoints represent a higher level of granularity/details that what is exposed in the Carousel user interface, and a typical Carousel user is assigned a Role which comes with many Carousel Access Rights. For example, performing an action such as copying a bulletin may require many different rights. It may not be easy to associate specific actions in the Carousel UI with the individual Carousel API endpoints and their required access rights.

Q: Which authorization mechanism can I use to authorize my API requests?

A: When your browser is logged into Frontdoor it uses ASP.NET's form based authentication. If you are using curl, or another script/code based tool, you may also insert your credentials in basic authorization format as part of the http header.

Q: What happens if I make a request for which I do not have sufficient access rights?

A: You will receive a 403-Forbidden error code back from the server.

Q: How can I compare the Carousel Access Rights in Frontdoor to the ones in Swagger, they're not the same?

A: Frontdoor shows each access right's friendly name while Swagger shows its actual name. Run the following TSQL query in SQL management studio to list all access rights and their friendly name:

SELECT TOP 1000 [AccessRightId]
  FROM [FrontDoor50].[dbo].[AccessRights]

Q: The Swagger doc says I need a specific permission, but when I call the endpoint it does not accept my request, why?

A: The Swagger doc is maintained by hand, and must be kept up to date by any developer making changes to the code. Please tell someone from the Carousel team so they can correct the Swagger doc!

0 (0)
Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
Carousel 7 supported editions of Windows 10
Viewed 1326 times since Wed, Apr 19, 2017
How to perform a system database migration
Viewed 2349 times since Thu, Jul 30, 2015
Carousel 7.2.2 Released
Viewed 625 times since Thu, Apr 5, 2018
Active Directory User Roles Don’t Update
Viewed 1342 times since Mon, Sep 26, 2016
Custom Carousel Fonts
Viewed 1422 times since Fri, Sep 1, 2017
Identifying Your Current Version of Windows
Viewed 1901 times since Fri, Aug 21, 2015
Carousel operating system compatibility
Viewed 3344 times since Tue, Nov 10, 2015
Carousel Player For Apple TV
Viewed 3545 times since Fri, Jun 23, 2017