Best practice? Integration partner access and DB refresh

What’s the smart way to do this?

  1. I allow our integrations partners/consultants to access the development database (via REST, mostly), but obviously I do not want them to get into Production until we are ready.
  2. I refresh the development DB periodically with a copy from Production
  3. Now I need to grant the partners access again to Development. (The refresh locked them out since they could not get into Production.)

With one partner, I simply created their account and API key only in development, and then I recreated it in development after every refresh. Now we have several partners, and this is getting old. Plus their API key keeps changing and I have to manually reset their password (REST still uses the Epicor password even though we are SSO).

I thought maybe I should create a permanent account and API key in Production but just give those an access scope that goes nowhere, and then override the scope in Development after refreshing.

Any pitfalls to that? Or is there an even better way?

I’ve been looking into Azure API Management. Based on what I’ve seen it would be relevant. I think you should be able to have your initial key and access that you set in production and copied to dev, then manage the partner access in Azure. I would think the db refresh would be seamless.
Does anyone have experience with Azure API Management?

1 Like

Interesting. Sounds too sophisticated to me, but I’m sure others will benefit.

I went with the access scope thing I mentioned. Scope is called DenyAll and has no services assigned to it. User can get into the system and change her password, but that’s about it. She can see menus but not open them.

When you assign it, Epicor warns you, Hey, you are completely chopping off the legs of this user. Continue?