Manually Restricting Access to a Single Education Organization
Overviewâ
Apply restrictions or provide authorization for resources can be achieved with customizing the claim set, using Admin App Claim set editor.
Documentation on how to use Claim Set Editor can be found here: Claim Set Editor.
Use Caseâ
Restrict the education organization read permission. If user try to get list of schools using specific key and secret, then resultant list should only contain the school/ schools associated with provided key and secret.
Steps to Achieve the Filtered Listâ
- On Admin App Claim set editor, user can create copy of existing claim sets. User cannot customize the existing standard claim sets. But can customize newly added or copied claim set.
The following list shows existing standard claim sets on Admin app.
 
 2. User can click on the copy (highlighted on the above screen shot) link to  create copy of a specific claim set. In our example, we are creating a copy of  SIS Vendor claim set.
 3.  We created SIS Vendor copy claim set, which is customizable
 
Clicking on the Edit link on SIS Vendor Copy Claim set will lead user to claim set edit page:
Here user can check or uncheck the resource permissions (Read, create, Update and Delete).
Some of the resources will have child resources associated with it.
Ex: people resource has student, staff, and parent as child resources. So, making any permission changes to people will reflect on child resources.
4. In this use case user wants to restrict the education organizations resource.
The existing education organization resource only has Read permission with âNo further authorization requiredâ strategy, which is why school list shows all the schools.
Now we are going to restrict that by overriding the default authorization strategy.
Clicking on
the 
will open the Authorization strategy override window.
Now need to restrict the Read action by editing the authorization strategy.
Now we did override the Read actionâs authorization strategy to âRelationships with Education Organizations onlyâ.
This override will restrict the education organization read action strategy.
Note: The latest claim set addition/ update  will reflect automatically on ODS API after 10 mins.
If user wants to have the changes reflected immediately, then need to restart the ODS API manually.
5. Next step is to create an application using this newly created claim set and associate it to specific education organization on Admin App.
User must have a key and secret provided during the application creation.
Using these key and secret value towards ODS API call will provide expected education organization list.
Ex: We created application using SIS vendor Copy claim set and associated with Grand bend high school.
So, School list will be having only âGrand Bend High Schoolâ
Output on swagger end point using the generated key and secret:
