Set up an operation

If you use Bot Manager Premier or Account Protector, you come to the API Definitions app to register the transactional endpoint, like the login or checkout page, you want to protect. To do so—even if that page isn't technically an API—you define an API (to share the page's path and other details) and create an operation (formerly called resource purpose).

📘

If you enable WebSockets for specific matches, response body inspection for the given Application Security product won't work for the corresponding requests. For example, in case of WebSockets enabled for certain paths, the body inspection won't work for requests targeting these paths.

1. On the API Definitions page, in the Registered APIs section, find the API definition in which you want to create an operation and click its ... Action menu.

2. From the menu, select Manage versions.

3. In the Version history panel, select the version you want to edit.

4. From the list of delivery options on the left, select API Operations.

5. On the API Operations page, click + to add a new operation.

6. Enter the Name of the operation.
   If you only specify one operation for a resource, it’s best to use the same name for the operation as you did for the resource. This helps you easily identify it in your security configuration. If you specify multiple operations of a resource (for example, two different operations for GET and POST), use the name of the resource in combination with the method. For example: post-book.

7. Select the associated API resource.
   You can create up to 200 operations per resource.

8. From the Method menu, select the HTTP method used in combination with the resource.

9. Click Operation Purpose and select the task your transactional page serves. For more information, see Operation purposes.

📘

If you can’t find the exact task on the list, select the most similar option.

• Login: This operation allows the user to log on to their account – either a bank account, an eCommerce one, etc.

  If you selected Login, go to the Username parameter menu, select the login parameter you defined in the API resource panel.
  If the value you want to capture, like username, is in a JSON array, and you turned on the array checkbox when you set up this resource, enter the array index numbers to share where username data lives. This is a number that specifies a value’s position in the array and starts at zero. For example, in this JSON object:

  {  
   "gateway_customer": {  
       "identities": {  
           "identity": [  
               {  
                   "data": "test@example.com",  
                   "type": "USERNAME"  
               },  
               {  
                   "data": "qwerty123",  
                   "type": "PASSWORD"  
               }  
           ]  
       }  
   }  
  }
  

  the username parameter is: /gateway_customer/identities/identity and the username index is at the first level, so you’d enter an index value of: 0

  If the path has multiple array elements, you must specify an index for each one.

  Note: Your code must enforce the defined array order, so values are always found in the same index.

• Account creation

• Account verification

• Add to cart

• Giftcard balance check

• Loyalty points

• Password reset

• Search

As a part of the _Account Lifecycle Protection program, you can choose from the additional operation purposes:

• Account update

• Password change

• Payment

10. To capture data on successful and unsuccessful attempts to use the resource, in the Origin Response section, define their traits. For more information, see set origin success and failure conditions.
    You need to configure origin response for transactional endpoints if you use Account Protector. For Bot Manager Premier this step is optional.
    You can set up success and failure reporting for every operation type except Search and Add to cart.
11. Optional: If requests to protect using Bot Manager Premier or Account Protector always include parameters, then in the Additional required parameters section, do the following for every parameter that you want to set up:

Note: Usually, you won't add parameter criteria here. Do so if you want to protect ONLY specific requests that include or exclude the parameter. Requests that don't meet the conditions you set won't undergo Bot Manager Premier detection nor Account Protector evaluation.

a. Click Add parameter

b. From the leftmost drop-down menu, select the parameter that you want to configure. If it contains array indexes, you must specify their location. Enter the index in the box provided. To see an example, refer back to Step 9.

c. From the rightmost drop-down menu, select the condition that the parameter should meet.

d. If you selected the matches or does not match condition, enter one or more values for parameter.

🚧

Again, don't enter parameter criteria here unless you want to protect ONLY those specific requests. If your app accepts requests that don't meet the parameter conditions you define, those requests would likely bypass bot protections. Proceed carefully. The need to set parameters here is rare (for example, in the case of GraphQL applications).

13. Click Save.