Division-based API Security¶

All RCX APIs implement comprehensive division-based access control to ensure data security and proper isolation.

API Response Filtering¶

Read Operations:
API responses are automatically filtered based on the user's active division

API Request Validation:

• Create Operations: Users can create resources only if their active division has create permission.
• Update Operations: Users can't change resources that don't belong to their active division. They can update the resources only if their active division has update permission.
• Delete Operations: Users can't delete resources outside their active division. They can delete the resources only if their active division has delete permission.

Security Enforcement:

• Division checks are enforced at the API layer before any database operations.
• Unauthorized access attempts return appropriate error responses (HTTP 400 with error code 4041).
• All API operations respect the user's division assignments and permissions.
• Admin users with division check disabled can access all resources regardless of division assignment.

This comprehensive API security ensures that division boundaries are maintained across all system interactions, providing robust data protection.

See also:

• Division-based Arbitration Security