Data producers can always access their own data. If a data producer chooses to share certain data objects with a data consumer, fine-grained access rights can be configured for that specific data consumer.

You control what each API client application is allowed to do by configuring the access rights for each IoL data entity type when creating the API token for that client application. 

It is normally assumed that a single API token is used for each application, which normally is the case. Sometimes, you might want to break up the access rights for different parts of large applications, in which case multiple API keys with different access rights may be generated for the application.

In the API token administration GUI, system administrators can allow individual API clients the right to read, create and update/delete the different data entity types in detail.

It is also possible to control which properties (fields) of a data object should be visible to data sharing consumers. Using the filtering function, it is possible to exclude (hide) certain data properties when the webhook passes the IoL data object on to the client application.

This is done in the filtering section of the webhook configuration GUI in the IoL administration GUI.

By adding properties to the exclude list, the corresponding data properties in the selected entity type are hidden from (not shared to) the API token user (data sharing consumer). 

This enables sharing of entity types that contains specific parts of sensitive information that should not be shared to all or some client applications.