Access Control Policies
Access Control Policies (ACPs) create a secure environment where all traffic coming from approved sources can reach the Scheduler widget for processing, and any unrecognized traffic is blocked.
The Access Control Policies tab allows you to secure access to your Widgets in one of two ways:
- By allowing specific IP addresses to send unlimited traffic from specified sources
- By creating API Access Tokens that will be required with each API request
Create an ACP
New Access Control Policies can be created in two different ways. You can choose to start fresh with a new, empty policy, or clone an existing policy to start with an existing list of allowed IP addresses. If you choose to clone an Access Control Policy, you can then add or remove IP addresses and API Access Tokens from the new policy as needed to fit its intended purpose.
Quick Access: Scheduler > Access Control Policies
- To create a new Access Control Policy with nothing configured, click Add Access Control Policy, or...
- To use an existing Access Control Policy as a template for the new one, click the Clone icon in the row corresponding to the policy that you wish to clone.
- Enter a unique name for the new policy in the Name field.
- Enter a description to further identify the new policy in the Description field.
- If you are cloning an existing Access Control Policy, click Save, then click the Edit icon on the new row associated with the policy to continue.
- Click Add Whitelisted IP Address to add an IP address to the whitelist.
- In the Add Whitelisted IP Address modal window, enter the IP address in the Address field. If you wish to use the IP address of the server you are using to access the Mindful Callback UI, you can click Use my IP address to automatically populate it in this field.Tip: To add a range of IP addresses, follow CIDR notation:For example, if you want to use the IP addresses 1.1.1.0 to 1.1.1.255, then you would enter 1.1.1.0/24 into the Address field./24 is the largest block size that is allowed.
Enter descriptive text to identify the server in the Description field.
Click Save to return
Repeat Steps 6-9 for any additional IP addresses you would like to add to the new Access Control Policy.
API Access Tokens
Generate an API Access Token if you want to integrate your widget and ACP with other Mindful applications. API Access Tokens can be added at any time via the steps below.
- In your in-progress ACP, scroll down to the API Access Tokens section and click Add API Access Token.
- On the Add API Access Token modal, give your token a name. We recommend that you name it so that other system admins know where you're using the token.
- Click Save.
When you're done configuring your ACP, you can return to the Access Control Policies page to see a list of your ACPs.
- Your organization may create up to 100 Access Control Policies (ACPs). This includes original and cloned ACPs.
- Each ACP may have up to 10 IP address entries assigned. An identified range of IP addresses counts as one entry.
- Each ACP may have up to five (5) API Access Tokens applied to it.
Apply an ACP
After creating an Access Control Policy, use the following steps to apply it to a widget or to your organization.
Apply an ACP to a Widget
Quick Access: Scheduler > Widgets
- On the Widgets tab, click the Edit icon in the row corresponding to a particular widget.
- Use the Access Control Policy dropdown menu to select a policy to apply.
- Save your changes.
Apply an ACP to the Organization-wide API
Quick Access: Scheduler > API
Apply an ACP to all of the API Endpoints on the Scheduler API screen. On the Scheduler API screen, use the Access Control Policy dropdown menu to select a policy to apply.
Send requests with an API Access Token
If you choose to apply an ACP with an API Access Token to a Widget, the API request must contain a Bearer token in an Authorization header. The token is automatically generated and persistent, and you can find it on the configuration page for an ACP.
Code examples
With an ACP applied to a Widget, the API Endpoints modal window on the Widgets page will add the required header to the example code:
Embedded widgets
If you are using the Embed code on the Widgets page, and an API Access Token is applied to the Widget, then the Widget will not render. Widgets with an API Access Token applied must be invoked via API.