Reputation: 11
I've developed an app for Autodesk Revit that processes models in our Autodesk Construction Cloud (ACC) Hub. Through 3-legged authentication users login and can see all the projects they are assigned to. This part is fine.
We collaborate with other partners live in our Revit models (cloud worksharing). In some instances the projects are located on their hubs. I understand that they need to authorise my app on their hub through custom integrations ([https://aps.autodesk.com/en/docs/bim360/v1/tutorials/getting-started/manage-access-to-docs/]).
We don't want to see or access projects that we are not involved in, and I know we need to use 3-legged authentication for this, but what's stopping a developer once approved on a hub developing another app (using the same credentials) that uses 2-legged authentication and accessing all the information on that hub?
I would expect when inviting a developer to a hub through a custom integration that you could choose which types of authentication are available to them and therefore the visibility extents within the hub. I appreciate that there are permission levels for accessing data and administration information.
Thanks
Upvotes: 0
Views: 86
Reputation: 1096
Agreed. Autodesk is a bit overdue on dealing with this scenario. Currently there is a lot of trust placed on the developers…
Upvotes: 0