© 2018 Capita Business Services Ltd. All rights reserved.

Capita Education Software Solutions is a trading name of Capita Business Services Ltd. Our Registered office is 30 Berners Street, London, W1T 3LR and our registered number is 02299747. Further information about Capita plc can be found in our legal statement.

Dex Security Model

The security of the DeX API Suite is protected OAuth client and secrets, which is a standard authorisation protocol used worldwide. 

 

ESS Products are multi-tenanted which means that multiple customer's data may be stored in the same data store. Some of our APIs expect to have the Client Credenitals (Client ID and Secret) to uniquely identify the customer whose data may be accessed.  Others require that the 'organisation id' is specified in the call.

 

SIMS Primary / SIMS 8

SIMS ID RAP APIs SIMS ID One Roster Read APIS SIMS ID One Roster Write APIS

Pass the organisation ID in the token request

Must have a Unique mapping between the organisation and client credential. Must have a Unique mapping between the organisation and client credential. Must have a Unique mapping between the organisation and client credential.

For example, each school will require its own Client ID and Secret because the OneRoster API implementation is multi-tenanted. 

OPENID Connect can also be supported where a single key and secret is provided. Using OPENID Connect will require end user interaction to sign in and is not recommended for Service to Service implementation..

ESS recommend a shared key and secret per school. This will also allow schools to individually remove their consent in future, and ESS can then fully ensure compliance with the request by disconnecting access to that school on the API.

Keys and Secrets will be enabled when the school consents to the service being enabled. The consent is just for that one school.

The exact mechanism for passing Keys and Secrets will be confirmed with CCEA as REQ-T02 is progressed