Enabling the RPM Web Services API security will apply the security model on every call to the API. The user will then need sufficient security rights to perform any action. Those actions include loading, saving, converting, etc.
When loading data using the API the loaded data will be filtered by the security layer to remove any data that the user is not allowed to read (no read security rights). It is then possible that when trying to load a specific record, the API returns an empty result because the entire record was filtered due to insufficient security rights.
Filtering is also applied on the fields inside an object, therefore without proper security rights, a loaded container might have some of its field values set to null by the API due to insufficient security rights. So discrepancies between loaded containers and records in the database might be due to applying security filtering.
Security validation also takes place when saving data using the API. So if the user tries to modify a field inside a container for which he doesn’t have the proper security rights, the save operation will fail and a security exception will be returned.
When saving more than one container at the same time (object graph), the security validation needs to be successful for all of the objects, otherwise, none of the records will be saved and a security exception will be returned.
For other operations available in the API interface, like converting a container or assigning a scorecard, the security will behave just like saving, that is if the security validation fails for at least one of the provided records then the operation will fail and a security exception will be returned.
Here is a list of the Web Services API ‘secured’ operations for which the user is required to have the appropriate security rights:
See the Interfaces and Methods section for more detail on those operations.