API Authentication using OAuth
CMiC supports OAuth client credential authentication with third-party identity providers, like Microsoft Azure. Client credentials flow enables secure, server-to-server authentication alongside CMiC API Security for a fully encrypted data exchange. Once enabled, a third-party identity provider generates a JWT access token, along with Client ID and Secret which is used to authenticate with CMiC. CMiC extends this protection through the support of API security allowing the Role Based Access Control (RBAC) for the CMiC API Service Account.
The API authentication and authorization flow in CMiC comprises of three layers:
- Application Security Layer
- API Security Layer
- Authentication Layer
To learn more on setting up OAuth and API Security, go to CMiC API Access Setup
1. Application Security Layer
CMiC natively applies business-level security that governs access to applications, programs, and data within the system. This layer determines which authenticated user or service account is permitted to access inside CMiC.
For example, under the User Maintenance screen, administrators can control which users have access to jobs by defining job security groups and assigning jobs to those groups
2. API Security Layer
CMiC API Security enforces endpoint-level authorization using role-based access control (RBAC). After an identity is authenticated, this layer determines which API endpoints and methods (Create, Update, Retrieve, Delete) the user or application is allowed to execute.
This layer is especially important when multiple integrations require different levels of access to the same business object.
3. Authentication Layer
Authentication verifies the identity of the API user or application before access is granted. CMiC supports Basic Authentication or OAuth 2.0 through an external Identity Provider (IdP), such as Azure AD, Okta, or Google.
Authentication verifies identity only. It does not determine what resources or endpoints the identity can access.