UrbanCode Deploy

UrbanCode Deploy 10 Minute Tips: Auth Token Restrictions

IBM UrbanCode Deploy allows you to restrict which REST endpoints an authorization token can use. That’s a nice security feature. However, if you need to set up an Auth Token Restriction for an Integration or some external script or tool, finding out what endpoints are hit can be a time-consuming activity.  But there is an easier way…..

  1. Create a new temporary user in UCD and make it a member of a suitable team(s) with the right role permissions to allow it to do whatever it does.
  2. Run the tool / script or integration for one or more cycles to capture the things it has to do using the temporary user that you just created.
  3. Navigate to the System > Diagnostics > REST Call Log
  4. Sort the URL column
  5. Enter you temporary user name into the filter of the User Column
  6. Scroll down the page looking for distinct API endpoints.  Record the URL and the Method.
  7. Now that you captured all the endpoints you can use those to create a new Auth Token Restriction.
  8. Remove the temporary user you created

This is a lot easier than using the trial and error method of determining the endpoints used since when you create a token, it seems that the endpoints referenced by the Auth Token Restriction at that moment in time are the ones applied to the token.  So, if you change the Auth Token Restriction, you need to create a new token.

If you need to process a lot of data, you can get the JSON directly using a command like this:

wget --no-check-certificate -O restcalls.json 'https://admin:admin@localhost:8443/rest/audit/request?rowsPerPage=250&pageNumber=1&orderField=shortUrl&sortType=asc&filterFields=user.name&filterValue_user.name=harry&filterType_user.name=like&filterClass_user.name=String'

In the URL above change admin:admin to the UCD user /password of a user with permissions to looks at the REST Call Log.
Change the filterValue_user.name=harry to reference the temporary user you created
Change rowsPerPage=250 to some number big enough to get all the data.

With a little bit of shell script you can easily extract a unique list of methods with their end points

sed ‘s/,/\n/g’ restcalls.json | grep -e “method” -e “shortUrl” | sed -rn ‘N;s/\n/ /;p’ | uniq


Alan Murphy is an IBM services consultant who has worked with clients to help them adopt new tools and processes for the last 20 years. UrbanCode Deploy and DevOps has been his focus for the last 5 years. He also develops tools to assist clients in tool adoption and blogs on an occasional basis.

Tags: