Guides

Session permissions review

Complete a session permissions review for production access

Suggest Edits

In order to ensure that your integration is properly secured, we will conduct a session permissions review on the Rainforest Sandbox environment prior to your product launch. The review can take place in one of three ways:

  1. Recommended: During a live demo
  2. Through a recorded demo of your MVP
  3. Submitting timestamps of requests utilized in your integration

For options #2 or #3, please submit request to [email protected] with the subject line of "[Platform Name] Session Permissions Review". Please allow for 2 business days for a response.

Please include the following actions within the video demo or in the session key review request. Only include actions that are part of your MVP:

  • Onboard a merchant - start from the home page in your platform UI
  • Run a test payment
  • Load the payments report and the payment details component
  • Load the deposit report and the deposit activity details

Component permissions

Rainforest follows the best practice of the principle of least privilege. We'll review your permissions and confirm that the permissions granted to various parts of your integration are as restrictive as possible.

When integrating with Rainforest components, we highly recommend utilizing permission groups. Groups will ensure that your components always have the necessary permissions as features are added to our components.

Sessions should not use group#all as this will grant access to all resources within Rainforest. In the session permissions review, if you are using group#all, we will ask for clarity on this choice and if it is possible to pair this back to one of the groups specific to the integrated component.

Depending on your MVP, here is a list of common permissions used.

Payment component

Sessions are typically constrained to the specific merchant your taking the payment for with the permissions group group#payment_component.

{
    "permissions": [
        "group#payment_component"
    ],
    "constraints": {
        "merchant": {
            "merchant_id": "mid_123"
        }
    }
}

Requests to review:

  • Load the Rainforest Payment Component with a valid payin config
  • Process a payin through the Rainforest Payment Component

Payin details component

When utilizing the payin details as a separate component from the Payment Report Component, sessions should be constrained to the specific payin being viewed with the permissions group group#payin_details_component.

{
    "permissions": [
        "group#payin_details_component"
    ],
    "constraints": {
        "payin": {
            "payin_id": "pyi_123"
        }
    }
}

If the user can initiate refunds, then the permissions should also contain the permissions group group#payin_details_component.create_refund.

{
    "permissions": [
        "group#payin_details_component",
        "group#payin_details_component.create_refund"
    ],
    "constraints": {
        "payin": {
            "payin_id": "pyi_123"
        }
    }
}

Requests to review:

  • Load the Rainforest Payin Details Component with a valid payin
  • If the user has permissions to create a refund, initiate a refund
  • If you've enabled deep linking between associated payments, such as related Refunds, click into the related Refund Details Component

Payment report component

Sessions are typically constrained to the specific merchant's payments with the permissions group group#payment_report_component.

{
    "permissions": [
        "group#payment_report_component"
    ],
    "constraints": {
        "merchant": {
            "merchant_id": "mid_123"
        }
    }
}

If the user can initiate refunds, then the permissions should also contain the permissions group group#payment_report_component.create_refund.

{
    "permissions": [
        "group#payment_report_component",
        "group#payment_report_component.create_refund"
    ],
    "constraints": {
        "merchant": {
            "merchant_id": "mid_123"
        }
    }
}

Requests to review:

  • Load the Rainforest Payment Component and click into various Payment Details, such as a payin, refund, chargeback, and ACH return
  • If the user has permissions to create a refund, initiate a refund via the Payin Details

Deposit report component

Sessions are typically constrained to the specific merchant's deposits with the permissions group group#deposit_report_component.

{
    "permissions": [
        "group#deposit_report_component"
    ],
    "constraints": {
        "merchant": {
            "merchant_id": "mid_123"
        }
    }
}

If the user can initiate refunds through the deposit report, then the permissions should also contain the permissions group group#deposit_report_component.create_refund.

{
    "permissions": [
        "group#deposit_report_component",
        "group#deposit_report_component.create_refund"
    ],
    "constraints": {
        "merchant": {
            "merchant_id": "mid_123"
        }
    }
}

Requests to review:

  • Load the Rainforest Deposit Component and click into a single deposit
  • Within a deposit, click into various Payment Details, such as a payin, refund, chargeback, and ACH return
  • If the user has permissions to create a refund, initiate a refund via the Payin Details

Merchant onboarding component

Sessions are typically constrained to the specific merchant being onboarded with the permissions group group#merchant_onboarding_component.

{
    "permissions": [
        "group#merchant_onboarding_component"
    ],
    "constraints": {
        "merchant": {
            "merchant_id": "mid_123"
        }
    }
}

Requests to review:

  • Load the Rainforest Merchant Onboarding Component
  • Submit the application via the component

Updated about 2 months ago

What’s Next