Security and the SData Gadget and ReadOnly SData provider

Hints, Tips and Tricks

Technical Hints Tips and Tricks that cover customization and development using Sage CRM. API usage and coding are covered.

Security and the SData Gadget and ReadOnly SData provider

  • Comments 1
  • Likes

For an introduction to SData REST based web services then please see the article "Accessing SData Provider

Another example of how SData is used in Sage CRM v7's Interactive Dashboard feature can be found here: "An SData Example – the Sage CRM V7.0 Interactive Dashboard SData Gadget"

You can read about the SData provider in the documentation.  

Members of the Developer Program can download the following resources 

Recorded Presentations

Slide Decks

Security and SData

I was asked a question about SData and its interaction with security.

It is important to note that access to data via the REST based interface is controlled by security profiles and field level security.  That has the effect of limiting access to rows within entities and views.  A data source for SData can either be an entity or be a view.  Field level security will also limit the columns that are returned within the generated XML.

Within external applications the dynamically constructed feed will need to be handled.  A programmer can not assume which columns will be returned in the XML or which data source available.

This information can be requested from in the Schema

  • http://[servername]/sdata/[installname]j/sagecrm/-/$schema
  • http://[servername]/sdata/[installname]j/sagecrm/-/company/$schema

Schema requests do not require authentication, so they will show all possible data fields.

To make an actual data request Sage CRM 7.0 does not advertise supported authentication methods via the usual WWW-Authenticate response header. The programmer needs to perform a pre-emptive authentication.

This javascript code snippet shows how authentication can be carried out.


XmlHttp = new XMLHttpRequest();
var strURL = "http://[servername]/sdata/[installname]j/sagecrm/-/company?where=comp_companyid in ('43', '45')";
XmlHttp.open('GET',strURL,false);
XmlHttp.setRequestHeader("X-Sage-Authorization", "Basic " + "QWRtaW46");
//XmlHttp.setRequestHeader("Authorization", "Basic " + encodeBase64 ("username:password") );
//encodeBase64 would be a function in a script library.
XmlHttp.send(null);
var strHtml = XmlHttp.responseText; 
XmlHttp=null; // always clear the XmlHttp object when you are done to avoid memory leaks
processResult(strHtml);
//processResult is the function that will handle the returned XML
 

Note:  encodeBase64() would be a function that encodes the user:password combined string. 

Comments