Restriction Groups

Restriction Groups

When the APIs you call from the bot do not have a way to throttle requests from bad actors, BAAS Restriction groups can offer an additiona level of protection. Restriction groups protect APIs from a bad actors or from being overwhelmed with bad requests. Each group uses unique identifiers to track failed requests and blocks those users from making additiona request for a specified period of time.

They can be maintained through the cli using sb-cli baas restrictions.

Creation

Creating a restriction group involves calling sb-cli baas restrictions create myRestrictionGroup.json, replacing myRestrictionGroup.json with the path to a json file containing your restriction group definition.

An example json definition is as follows

{
  "displayName": "myRG",
  "evaluations": [
    {
      "key": "statusCode", // the field you wish to evaluate for failure
      "value": 401, // the value of a failure
      "comparison": "EQUALS" // see comparisons
    }
  ],
  "identifiers": ["ipAddress", "customerReference"], // see identifiers
  "steps": [
    {
      "restrictOnFail": true, // whether or not the api connector is restricted at this step
      "ttl": 10, // the duration of this failure step in seconds
    },
    {
      "ttl": 60, //If the identifier matches the evaluation while the first step is still in effect, this restriction will come into play.
      "restrictOnFail": true
    }
  ]
}

After creation, you will be given a uuid for that restriction group. This can then be provided when creating or updating api-connector(s) you wish this restriction group to apply to.

Comparisons

The available comparisons are as follows 'GREATER_THAN', 'LESS_THAN', 'GREATER_THAN_OR_EQUAL', 'LESS_THAN_OR_EQUAL', 'NOT_EQUAL', 'EQUALS'.

Identifiers

This is how we determine the actor. If this matches, then it is considered to be the same actor for the purposes of restriction groups. The valid options are 'customerReference', 'ipAddress', 'restrictedAccess'.

Identifiers can be used when testing BaaS via the CLI as part of the BaaS payload when using the sb-cli baas execute payload.json command

Example payload.json contents:

   {
      "Alias": "N3F7Yq_1St",                  
      "CustomerReference": "example",                     
      "ipAddress": "example2,             
  }