Overview
This article describes how to access the Resident Management API, best practices, user types, and user permissions. Understanding how user types and permissions work is crucial to securely and successfully accessing the Resident Management API.
Site Manager is organized into a hierarchical structure of teams, sites, and residents.
Teams consist of sites, which then contain residents.
Granting access to resident data through the Resident Management API is done in this same hierarchical manner — you have to know which team the site's residents reside.
Accessing a team or site requires a Team or Staff user in Site Manager. Team and Staff users can be members of more than one team and access multiple sites and residents but can only access one team's sites and residents at a time.
This organizational structure ensures the Resident Management API only allows you access to resident data that you are authorized to manage.
Access the Resident Management API
The POST /oauth/token
endpoint generates an access token using Site Manager credentials (username and password) for Team or Site users. The Site Manager credentials used to create the access token determine the level of access to the team, site, and resident details.
All calls to the Resident Management API must include this access token in the Authorization header.
Site Manager User Types
Site Manager has two different user types to control access to Site Manager teams and sites. There are two main types of users in Site Manager:
- Team users - have access to all sites on teams they are a member. Team users can be members of multiple teams but must switch teams before viewing sites on another team.
- Site users - only have access to the sites they are members of. You can add Staff users to sites that reside on different teams but must switch teams before viewing sites on another team.
Best Practices
To align with least-privilege security best practices, create a dedicated service account in Site Manager to use with the Resident Management API. The service account you create for the integration should only have access to sites and residents using the least privileges possible. For example, if you only want to manage a subset of sites on a team, create a staff user at each site as the service account. If you're going to manage all sites on a team, create a team user as the service account on your team.
Site Manager User Permissions
Each user type has different user permission levels that further control the granularity of access they have to teams or sites.
Team User Permission Levels
- Team administrator users - have full access to add and manage all team members and teams settings such as portfolios, connections, team member management, and site management.
- Team users - have access to all sites on the team.
Staff User Permission Levels
- Staff local-admin users - have full access to the sites on which they reside. Local-admin users can also add and manage other site staff users.
- Staff users - have limited access to the sites on which they reside. Non-Local-admin users cannot add or manage other site staff users.
Site Manager User Types and Permissions Matrix
Table-1 below contains the different Site Manager user types and permissions and how they differ from each other.
Feature | Staff User | Staff User Local-admin |
Team User | Team User Administrator |
---|---|---|---|---|
Manage Residents | ✓ | ✓ | ✓ | ✓ |
View Individual Sites | ✓ | ✓ | ✓ | ✓ |
Manage Staff Users | X | ✓ | ✓ | ✓ |
View All Team Sites | X | X | ✓ | ✓ |
View Site Settings | ✓ | ✓ | ✓ | ✓ |
Edit Site Settings | X | X | X | ✓ |
View Team Details | ✓ | ✓ | ✓ | ✓ |
View Team Members | X | X | X | ✓ |
Edit Team Members | X | X | X | ✓ |
Edit Team Settings | X | X | X | ✓ |
Related Links
- Resident Management API - Overview
- Resident Management API - Quick Start Guide
- Site Manager - How to Enable Integrated Mode
- Site Manager - MDU - Overview and Usage
- Site Manager - MDU - Managing Resident Accounts
Comments
0 comments
Please sign in to leave a comment.