Flow provides object-level permissions.
In general, you should create an API service account rather than mapping the API to an individual to avoid data loss or interruption. Typically, you name that service account something generic like API_SERVICE_ACCOUNT
.
Permissions
You need Manage API keys permissions to manage API keys. You must have the Manage user permissions and Manage role permissions to give users access to APIs.
View rights and API
View rights are a key feature in Flow to control the depth of information a user can see in Flow's interface. Learn more about view rights.
All Metrics APIs respect view rights, so the view rights of the user who the API key is associated with determines which data is returned in the response.
However, view rights are completely bypassed in the Customer API. This is by design.
View rights are report-dependent. The Customer API is based on primitive objects, not reports. This is important to understand as it has serious security and information access implications.
If you give a person access to the Commits API endpoint, for example, they will have complete unrestricted access to that object. This means they will be able to see any commit in any team in any repo.
If you wish to restrict or control that access, you must enforce it at the client level. This is, in part, why we strongly recommend you use a service account.
To grant a user API permissions, grant those permissions to at least one role the user has been assigned to.