by Jason Gilmore • July 19, 2021
SaaS applications generally tend to manage customer data in a multitenant database, meaning all customers share the same database. The data is secured, or segmented, by a unique identifier that maps a particular table record to a customer. This approach to data management means the SaaS can avoid the overhead and complexity of managing customer data within separate databases.
Increasingly, SaaS customers are asking for API-based access to their data. There are many reasons to ask for data access outside of the typical SaaS user interface, including the desire to create custom reports, integrate the data with other systems, or even just to ensure a backup of the data is on hand should the SaaS suffer an outage or worse, close its doors.
This feature request can be both a blessing and a curse for the SaaS provider. Building the API from scratch will undoubtedly require a great deal of time and effort. The commitment is even more painful when one considers that at least initially only a small portion of the overall customer base will use the API. On the other hand this could provide a new revenue stream because it’s reasonable for API access to be made available as a paid tier add-on.
SaaS providers lacking the time, skills, or desire to build and maintain this API might want to consider automating the API generation using DreamFactory. In addition to automatically generating an API for the SaaS database, DreamFactory’s role-based access controls can be used to isolate each customer’s data via unique API keys, all with no coding required.
Sign up for our free 14 day hosted trial to learn how.
DreamFactory’s role-based API access control feature is bundled into the web-based administration console included with all versions of the platform. It’s also possible to create, view, edit, and delete access roles using the system API, meaning SaaS providers could automatically generate a role and associated API key as part of the customer onboarding process. To get started though, it’s easiest to use the administrative interface, so let’s have a look at that.
To begin, log into your DreamFactory instance (you can start a free hosted trial at https://genie.dreamfactory.com/register if you’d like to follow along with the remainder of this post) and click on the Roles tab. Click Create and you’ll be presented with the following screen:
I’ve populated the fields with a representative role name and description that might be used to clearly identify the role as being associated with the customer Acme, Inc. Click the Next button and after pressing the purple plus (+) button on the left you’ll be presented with the following screen:
There are five available fields on this screen:
With these concepts in mind, the following screenshot presents the configuration interface with example values:
After saving the role it’s time to associate it with an API key.
Now we’ll generate an API key and associate it with the newly created role. Click on the Apps tab and press Create. You’ll be presented with the following screen:
There are six fields on this screen:
Suppose your SaaS provides sales-related reporting to companies. You might manage a table that looks like this:
Therefore when Acme, Inc. queries the API, the SQL clause WHERE customer_id = 456 should always be added to any query:
SELECT * FROM sales WHERE customer_id = 456;
This clause will automatically be added whenever the customer queries the sales table via the API:
Let’s confirm this by opening an API client such as Postman and issuing a query accompanied by the newly generated API key:
Sure enough we’ve successfully restricted the output to only those records having a customer ID of 456!
The customer is also free to take advantage of various parameters made available to the generated API, such as order and limit. For instance perhaps the customer is only interested in the most recent 10 sales:
It’s often the case that internal SaaS multitenant database tables contain data that shouldn’t be exposed to third-parties. Additionally, you might want to include additional information in the API response, perhaps drawn from another database or service. You can easily accomplish this using a scripted service. Once created, instead of pinging the database API directly the customer would instead request data from the scripted service, which would be responsible for limiting the returned columns to a specific set, obfuscating sensitive data, transforming data, and making additional API calls. The process for doing so is out of the scope of this article, however perhaps we’ll soon write a followup to this post with additional details! In the meantime if you’d like to learn more about this approach, check out our guide at https://guide.dreamfactory.com/docs/ or get in touch with our team to schedule a demo.
Join the DreamFactory newsletter list.