14. API

This module is accessible only to instance administrators and can be accessed from the side panel by selecting the API module. This module is only available with the Enterprise license.

14.1. API users

Apart from the instance administrator, only explicitly defined API users have the access to the application interfaces. These users can be managed in the API -> API Users section. These users are only used to access the application interfaces and do not have any other permissions to access the system.

Create API user

You can create an API user by clicking on the green Add User button and filling in the appropriate form.

Parameter	Required	Description
Name	Yes	The API login name of the user. To maintain maximum compatibility with third-party applications, we recommend choosing simple names without diacritics. For example: apiuser1, api_user_2, …
Activate	No	Only active API users can use the available application interface.
Description	No	It is used to improve orientation in the system.

Once a user is created, a unique secret is created for them, which can be viewed via the icon show in the list of API users. This secret serves as a password to access the application interfaces.

Edit API user

Editing the API user is possible in the update form, which can be opened by the authorized user in the API user list via the three dots icon.

API user activation and deactivation

Whether a user is active or inactive, it is indicated by the Status column in the API user listing. At the same time, the administrator can navigate to the activation/deactivation form via this button. Only active API users can use the available APIs.

Reset API user secret

The user’s API secret serves as a login password to access the available APIs. This can be reset by the administrator via the Reset button.

14.2. API management

Risk Flow offers a simple management of application interfaces that looks like this.

Assign API access to API user

For each API, you must explicitly define the users, who can access it. You can edit this via the edit form by clicking on the Edit User button. You can assign any or multiple API users to an API.

API activation and deactivation

The application interface can be activated and deactivated via the activation/deactivation form. Only active APIs can be accessed by API users.

Test API in browser

Each application interface can be tested in the browser by clicking on the Test API button.

Example of using API using Postman

Postman is an application used for testing application interfaces of other systems. This section will demonstrate connecting the API to a third-party application and displaying the available data.

All available application interfaces are described in the following chapter – Available APIs. To demonstrate the functionality of the application interface, a request will be made to list all users of the first client. First, we need to find out the ID of the client for which we want to get a list of users. So we will make a request for the appropriate application interface with the following parameters. First, we set the authentication data correctly – name, password and url address of the required API.

After sending such a request, we get a list of all registered clients and information about their users.

Now we know the client identifier from the name Klient 1 and we can use this knowledge to make other requests. We create a new request in the Postman application and set the same authentication and authorization values as in the previous request. In this case, we add another parameter specifying the selected client. We will use the API to find all available analyses for this client.

After sending such a request, we will get a result containing a list of available risk analyses for this client. Which APIs are available and which parameters they accept is described in the following chapter.

14.3. Available APIs

Risk Flow provides a standard REST API. The following interfaces can be used. Some interfaces accept additional http GET parameters. Parameters marked in red are mandatory.

The URLs of the individual application interfaces are available at https://INSTANCE-NAME.riskflow.cz/api/

Title	Description	Additional parameters
Users	List Risk Flow users.	role Accepts values “manager”, “analyst”, “auditor”, “client”. active Receives values „true” or Accepts values true or false. Returns active or inactive based on the selected value. lang Accepts values en or cs. Returns users with the preferred language of notification emails selected.
Clients	List of all clients.
Client’s users	List all user of a specific client.	client Accepts client ID. Returns a list of users of the selected client. active Receives values „true” or Accepts values true or false. Returns active or inactive based on the selected value. lang Accepts values en or cs. Returns users with the preferred language of notification emails selected.
Asset groups	List of asset groups for a specific client.	client Receives client ID. Returns a list of asset groups for the selected client.
Assets	List of assets and groups for a specific client.	group Accepts asset group IDs. Returns a list of assets of the selected groups. availability Accepts values low, medium, high, critical, not-set. Returns a list of assets according to the selected value. integrity Accepts values low, medium, high, critical, not-set. Returns a list of assets according to the selected value. confidentiality Accepts values low, medium, high, critical, not-set. Returns a list of assets according to the selected value. type Accepts values primary, auxiliary value Accepts values 1, 2, 34, 0. Value of 0 filters out assets that have not yet been valued.
Analyses	List of risk analyses.	client Accepts client ID. Returns a list of risk analyses for the selected client. manager Email of the user who is the responsible manager of the analysis. analyst E-mail of the user who works as an analyst in the analysis. status Accepts values started, inprogress, finished, waitingforapproval, approved, notapproved, inflow, inflownotapproved, inflowapproved.
Risk analysis	Specific risk analysis detail.	analysis Accepts ID risk analysis. Returns the detail of the selected analysis.
Risk analysis comments	List of all comments for a specific risk analysis.	analysis Accepts ID risk analysis. Returns the comments of the selected analysis.
Flows	List of all flows.	client Accepts client’s ID. Returns a list of flows of the selected client. manager Email of the user who is the responsible manager at flow. status Accepts values started, inprogress, finished, waitingforapproval, approved, notapproved, done",``auditdone type It accepts approval or audit values and filters the list of flows based on the selected type.
Approval flow	Approval flow	flow Receives flow ID. Returns the detail of the selected flow.
Audit flow	Audit flow	flow Receives flow ID. Returns the detail of the selected flow.
Flow comments	List of all comments for a specific flow	flow Receives ID flow. Returns comments of the selected flow.
All assets and groups of clients	List of all clients, their asset groups and all relevant assets.	client Receives client’s ID. Returns a list of asset groups and their assets for the selected client.
Import logs	Records of imports and description of potential errors.
Risk treatment plans	List of risk treatment plans	client Accepts client ID. Returns a list of risk treatment plans for the selected client. manager Email of the user who acts as the responsible manager for the plan. analyst E-mail of the user who acts as an analyst for the plan. status Accepts values started, inprogress, finished, waitingforapproval, approved, notapproved, inflow, inflownotapproved, inflowapproved.
Risk treatment plan	Detail of risk ma treatment plan	plan Accepts the risk treatment plan ID. Returns the detail of the selected plan.
Risk treatment plan comment	Comments on a specific risk treatment plan	plan Accepts risk management plan ID. Returns the comments of the selected plan.