Security Model

This page outlines the conceptual view of security and how it is designed.

Logins are used for interactive access. They are stored in the Staff table. Login names are restricted to your instore retail environment. To authorise a login name permission to login on fieldpine.com, tick the option Enable fieldpine.com OR enter an OnlineLogin name and password, which implicitly grants access to fieldpine.com websites.

ApiKeys are used for programmatic access. These can be assigned as individual values given to external applications or allocated to staff, customers, suppliers etc.

User generated ApiKey values can only include the characters (A..Z) (a..z) (0..9) (!@#$%^&*()-_+=.,) The characters ( | {} [] \ / ) are explicitly not permitted as they are reserved for Fieldpine. When generating API key values do not make them too short, we suggest around 40 characters long as a reasonable balance between security and network bandwidth.

Applications that have stored a login name and password can generate a dynamic API-key as proof that they have a valid login authorisation and avoid sending the password.

URL Format

Each URL has the format:

• /OpenApi_RmSystem $Rrve $$Access-Token / ...
• /Anywhere_RmSystem $Rrve $$Access-Token / ...
• /Gnap_RmSystem $Rrve $$Access-Token / ...

For example

/OpenApi_1,2,3,4$R20201201134216$$Mysecrettoken/Products

After the RmSystem a number of optional additional parameters can be supplied. Each of these is introduced with a $ sign, a unique identifier and the value.

• $Rnnnnn An RVE, or UTC timestamp. The value nnnnn is the UTC timestamp formatted as YYYYMMDDHHmmSS
• $$xxxx An Access token of some kind. This parameter must be last if specified and the value is delimted by the slash in the URL path.