Employee API v2 Constraints

This enhancement enables customers to begin to constrain Employee API v2 access in the API as it is in the user interface. This enables customers to use Cornerstone’s APIs in a more robust way, by enabling third-party integrators who are outside of their organization and should not otherwise have root access to all employee data, to be able to leverage the data they need for their solutions.

Some customers have been unable to utilize Cornerstone’s APIs for global rollouts because there was no way to guarantee that employee data (especially EMEA employee data) has not been accessed by any systems outside of the EMEA region. While this has been possible to do from an integrator's side by filtering on the organizational unit (OU), it has not been possible to enforce from a governance perspective, forcing some customers to limit their API rollouts. Support for constraints should allow for tighter controls around employee data when using Employee API v2.

API Explorer Documentation

Select this link to access API Explorer documentation.

Implementation

The new Employee API - View - Constrained permission enforces constraints for read access on the Employee API v2 only. Additional documentation with information on how to enable, and how this permission interacts with the existing permissions is available in the API Explorer upon release of this new API.

Permissions

The following new permission applies to this functionality:

PERMISSION NAME PERMISSION DESCRIPTION CATEGORY
Employee API - View - Constrained

Grants ability to use the Employee API v2 to view employee data with constraints. This permission can be constrained by OU and User's OU. The constraints on this permission limit what data is accessible via the Employee API v2. This is an administrator permission.

This permission is only available when the Employee API v2 is enabled via Edge Marketplace.

Edge

Security Roles

Upon release, the new Employee API - View - Constrained permission is automatically granted to the default System Administrator role. Administrators must grant this permission with the appropriate constraints to other roles, if necessary.