Granular permissions for Alma API functions
(The idea title is copied from a NERS suggestion (5311) that didn't make it to the second round.)
When working with third parties it is problematic that granting access to the Alma API for the necessary functionality will often also open up for access to other information that we might not want to share with the same third party.
An example is that allowing a vendor to create PO Lines via the API will also give the vendor access to the complete financial data of our institution, potentially giving them insights that could be used against us when negotiating prices.
A different example is the one from the NERS suggestion:
For example, we would like developers to be able to GET Resource Sharing requests without being able to GET all User records
In the light of the upcoming new EU data protection directive that will apply from 2018-05-25, the lack of granular permissions can prevent us from allowing third parties access to any API section that contains any personal data (including not only user records but also operator ids or vendor contacts):