https://community.cisco.com/t5/network-access-control/ise-ers-api-rbac/m-p/3956644#M455772 <P dir="ltr">Hello Team.&nbsp;</P> <P dir="ltr">My customer is looking at consuming the ERS Api for specific uses and has enquired whether<SPAN>&nbsp;</SPAN><STRONG>it is possible to restrict access to a limited subset of API</STRONG>? In reviewing the documentation, it seems that once an account is created for API access, it is granted full access to all ERS APIs.</P> <P dir="ltr">&nbsp;- External RESTful Services Admin-Full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests</P> <P dir="ltr">Secondly,<SPAN>&nbsp;</SPAN><STRONG>is it possible to report/audit&nbsp;API calls;&nbsp;determine&nbsp;what account and APIs have been used/called and when</STRONG>?</P> <P dir="ltr">Lastly, my current understanding is that the API uses Basic Authentication within the http headers which is simply consist of a username and password base64 encoded. if this is correct,<SPAN>&nbsp;</SPAN><STRONG>are there any best practices employed by other customer to avoid the credentials from being compromised and used by an unauthorized app/user</STRONG>?</P> <P dir="ltr">&nbsp;</P> <P dir="ltr">Header&nbsp;&nbsp; &nbsp;Values&nbsp;&nbsp; &nbsp;Description<BR />ACCEPT&nbsp;&nbsp; &nbsp;Application/XML or Application/JSON&nbsp;&nbsp; &nbsp;Indicates to the server what media type(s) this client is willing to accept<BR /><STRONG>AUTHORIZATION</STRONG>&nbsp;&nbsp; &nbsp;"<STRONG>Basic</STRONG><SPAN>&nbsp;</SPAN>" plus username and password (per<SPAN>&nbsp;</SPAN><STRONG>RFC 2617</STRONG>)&nbsp;&nbsp; &nbsp;Identifies the authorized user making this request<BR />CONTENT-TYPE&nbsp;&nbsp; &nbsp;Application/XML or Application/JSON&nbsp;&nbsp; &nbsp;Describes the representation and syntax of the request message body.<BR />ERS-Media-Type&nbsp;&nbsp; &nbsp;Consists Of: resource-namespace.resource-name.resource-version&nbsp;&nbsp; &nbsp;This Header is not mandatory. It describes ERS resource version. If not sent from client, the server will assume latest version.</P> <P dir="ltr"><A href="https://tools.ietf.org/html/rfc2617#section-2" target="_blank">https://tools.ietf.org/html/rfc2617#section-2</A></P> <PRE dir="ltr">the client sends the userid and password, separated by a single colon (":") character, within a base64 [<A title="&quot;Uniform Resource Identifiers (URI): Generic Syntax&quot;" href="https://tools.ietf.org/html/rfc2617#ref-7" target="_blank"> 7</A>] encoded string in the credentials </PRE> <P dir="ltr">Thanks,&nbsp;</P> <P dir="ltr">Regan</P> Mon, 11 Nov 2019 13:16:43 GMT rdediana 2019-11-11T13:16:43Z https://community.cisco.com/t5/network-access-control/ise-ers-api-rbac/m-p/3956644#M455772 <P dir="ltr">Hello Team.&nbsp;</P> <P dir="ltr">My customer is looking at consuming the ERS Api for specific uses and has enquired whether<SPAN>&nbsp;</SPAN><STRONG>it is possible to restrict access to a limited subset of API</STRONG>? In reviewing the documentation, it seems that once an account is created for API access, it is granted full access to all ERS APIs.</P> <P dir="ltr">&nbsp;- External RESTful Services Admin-Full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests</P> <P dir="ltr">Secondly,<SPAN>&nbsp;</SPAN><STRONG>is it possible to report/audit&nbsp;API calls;&nbsp;determine&nbsp;what account and APIs have been used/called and when</STRONG>?</P> <P dir="ltr">Lastly, my current understanding is that the API uses Basic Authentication within the http headers which is simply consist of a username and password base64 encoded. if this is correct,<SPAN>&nbsp;</SPAN><STRONG>are there any best practices employed by other customer to avoid the credentials from being compromised and used by an unauthorized app/user</STRONG>?</P> <P dir="ltr">&nbsp;</P> <P dir="ltr">Header&nbsp;&nbsp; &nbsp;Values&nbsp;&nbsp; &nbsp;Description<BR />ACCEPT&nbsp;&nbsp; &nbsp;Application/XML or Application/JSON&nbsp;&nbsp; &nbsp;Indicates to the server what media type(s) this client is willing to accept<BR /><STRONG>AUTHORIZATION</STRONG>&nbsp;&nbsp; &nbsp;"<STRONG>Basic</STRONG><SPAN>&nbsp;</SPAN>" plus username and password (per<SPAN>&nbsp;</SPAN><STRONG>RFC 2617</STRONG>)&nbsp;&nbsp; &nbsp;Identifies the authorized user making this request<BR />CONTENT-TYPE&nbsp;&nbsp; &nbsp;Application/XML or Application/JSON&nbsp;&nbsp; &nbsp;Describes the representation and syntax of the request message body.<BR />ERS-Media-Type&nbsp;&nbsp; &nbsp;Consists Of: resource-namespace.resource-name.resource-version&nbsp;&nbsp; &nbsp;This Header is not mandatory. It describes ERS resource version. If not sent from client, the server will assume latest version.</P> <P dir="ltr"><A href="https://tools.ietf.org/html/rfc2617#section-2" target="_blank">https://tools.ietf.org/html/rfc2617#section-2</A></P> <PRE dir="ltr">the client sends the userid and password, separated by a single colon (":") character, within a base64 [<A title="&quot;Uniform Resource Identifiers (URI): Generic Syntax&quot;" href="https://tools.ietf.org/html/rfc2617#ref-7" target="_blank"> 7</A>] encoded string in the credentials </PRE> <P dir="ltr">Thanks,&nbsp;</P> <P dir="ltr">Regan</P> Mon, 11 Nov 2019 13:16:43 GMT https://community.cisco.com/t5/network-access-control/ise-ers-api-rbac/m-p/3956644#M455772 rdediana 2019-11-11T13:16:43Z https://community.cisco.com/t5/network-access-control/ise-ers-api-rbac/m-p/3958644#M455773 <P>The first item is not available at present. I would suggest to check with our PM team(s) for enhancements.</P> <P>The second item has some in our existing audit reports. Please have a look at them.</P> <P>The third items will be done the same as the usual. Restrict access to the ERS API service port(s) by firewall and not using common user credentials, etc. ERS API has an option to allow CSRF validation, but this is not working with DNAC integration.</P> <P>The last item does not seem a question or comment.</P> Thu, 14 Nov 2019 15:59:29 GMT https://community.cisco.com/t5/network-access-control/ise-ers-api-rbac/m-p/3958644#M455773 hslai 2019-11-14T15:59:29Z https://community.cisco.com/t5/network-access-control/ise-ers-api-rbac/m-p/3958692#M455774 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/113005">@hslai</a>&nbsp;,&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/397746">@rdediana</a>&nbsp;</P> <P>Here is the enhancement request already opened for this -&nbsp;<A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr07394" target="_blank" rel="noopener">CSCvr07394</A>&nbsp;(<SPAN>Create ERS users with specific privileges)</SPAN></P> <P>&nbsp;</P> Thu, 14 Nov 2019 15:55:48 GMT https://community.cisco.com/t5/network-access-control/ise-ers-api-rbac/m-p/3958692#M455774 Anurag Sharma 2019-11-14T15:55:48Z