Managing Access

Introduction

TrustX offers users the ability to restrict access based on IP address. The permitted IPs are configured per tenant. Requests received to TrustX will be filtered as they arrive, ensuring that requests received are from the permitted IP address list in accordance with a specified configuration.

This document will describe how to manage IP permissions using the TrustX API. To first access the TrustX API, an API Key is required. For more information on accessing the API using an API Key, see API Keys Guide.

Step 1 - Configure Tenant Permissions

Before configuring the list of permitted IPs, an API key should be setup to allow the calling application to configure permittedips.

The API key should be setup with the following permissions:

JSON
    
 
TNT#{tenant}#Crms:updateTenantPermittedIpAddresses
Copy

Replace {tenant} with the tenant that permissible IPs will be applied to.

For information on setting token permissions per tenant, see the API Keys Guide.

Once the API key has been created, a token can be created in order to make subsequent API calls:

Issue Token
    
​x
 
POST https://{{tenant}}.{{region}}.trustx.com/api/arthr/apiKeys/issueContent-Type: application/jsonX-API-Key: {{apiKey}}​{}
Copy

Step 2 - Managing IP Permissions

Permitted IPs can be updated for a tenant using the following endpoint: https://{{tenant}}.{{region}}.trustx.com/api/crms/permittedips

Request Body

The body of the request will accept a list of strings that must be passed as IPV4 or IPV6 format. Subnets are also permitted as per of the list of permitted IP addresses.

For example:

JSON
    
 
POST https://{{tenant}}.{{region}}.trustx.com/api/crms/permittedipsContent-Type: application/jsonAuthorization: Bearer {{token}}​{"ips": ["192.168.1.1","2001:db8::/48","192.176.1.1/24"]}
Copy

This will update the list of permitted IPs for this tenant to the provided list. Any previously permitted IPs that are not included in the updated list will be overwritten.

In the request above {{token}} is replaced with the token generated in the previous step. The {{tenant}} and {{region}} are replaced with your tenant and region.

Subsequent calls will replacing the previously set configuration.

Example Response

Once a successful update is sent, a response will be received that confirms the updated request.

JSON
    
 
{  "skyRegion": "oak",  "dataBucket": "sky-prod-oak-data-eu-west-1",  "metricsQueueName": "sky-prod-activity-stream",  "tenantAuditKinesisDataStreamName": "sky-oak-prod-audits3",  "awsResources": {    "kmsKeyId": "sky-prod-oak-tenant1",    "kmsAWSKeyId": "2efc4785-51fe-4d45-9a3d-5abf2f1276ea",    "lambda": "sky-prod-oak-tenant1"  },  "permittedIPs": {    "ips": [      "192.168.1.1",      "2001:db8::/48",      "192.176.1.1/24"    ]  }}
Copy

As shown in the example above, the permittedIps field associated with the tenant has been updated to include the newly permitted IP list. With this configuration, only API queries made from the permitted IP list will be accepted. API requests made from any other IP on this tenant will be rejected.

Updates made to the list of permitted IPs will not be made immediately. The change may take up to 5 minutes before the new list of IPs will take effect.

Last updated on