Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2535
Views
5
Helpful
5
Replies

Cisco Prime Infrastructure (WiFi) REST API Security and access control

Go to solution
Q5
Level 1
Level 1

‎04-30-2019 01:22 PM

Hi guys

 

I need to read about how to secure and control the access to Cisco Prime Infra APIs.  Where can I read about this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alexander Onnikov
Cisco Employee
Cisco Employee
In response to Q5

‎05-01-2019 02:52 AM

Nope, that is not all.

In the Prime Infrastructure we have three user groups that control access to APIs:

  • NBI Read - most of GET API resources
  • NBI Write - most of POST/PUT/DELETE API resources
  • NBI Credential - API resources that return sensitive data, like device credentials

 

There also is a concept of Virtual Domains that allows to logically group devices, device groups, and other network elements. Virtual domains control the devices users can access. The API respects this concept; API requests are filtered by the users active domain.

You can find more information about virtual domains in Prime Infrastructure in the Admin Guide.

View solution in original post

5 Replies 5

Go to solution
Alexander Onnikov
Cisco Employee
Cisco Employee

‎04-30-2019 09:01 PM

Hi,

You can read about this on Authentication, Authorization, and Security API documentation page:

/webacs/api/v1/?id=authentication-doc

If you do not have a Prime Infrastructure in your lab you can read the documentation on DevNet:

https://developer.cisco.com/site/prime-infrastructure/documents/api-reference/rest-api-v3-5/
0 Helpful

Go to solution
Q5
Level 1
Level 1
In response to Alexander Onnikov

‎05-01-2019 02:11 AM

Is that all there is about AAA in Cisco Prime?

My OSS team is refusing me access via APIs because they can't control the access well enough

Is there a more granular control than read and write access? I is it possible to restrict the access to certain area of Cisco Prime Infrastructure or to certain groups of devices via the same (CPI) ?

0 Helpful

Go to solution
Alexander Onnikov
Cisco Employee
Cisco Employee
In response to Q5

‎05-01-2019 02:52 AM

Nope, that is not all.

In the Prime Infrastructure we have three user groups that control access to APIs:

  • NBI Read - most of GET API resources
  • NBI Write - most of POST/PUT/DELETE API resources
  • NBI Credential - API resources that return sensitive data, like device credentials

 

There also is a concept of Virtual Domains that allows to logically group devices, device groups, and other network elements. Virtual domains control the devices users can access. The API respects this concept; API requests are filtered by the users active domain.

You can find more information about virtual domains in Prime Infrastructure in the Admin Guide.

Go to solution
Q5
Level 1
Level 1
In response to Alexander Onnikov

‎05-01-2019 05:18 AM

Thanks for the help.

One last question, it is not clear from the documentation if the access to the REST APIs can be restricted further for Read only or Write by creating other groups than the built in ones and allowing the users to do only certain things. Can you comment on this please?

0 Helpful

Go to solution
Alexander Onnikov
Cisco Employee
Cisco Employee
In response to Q5

‎05-02-2019 01:44 AM

No, unfortunately there is no way for end-users to have more granular control over the REST APIs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents