After upgrading our CiscoPrime to 3.1 (3.1.6 to be exact) from 3.0.4, any calls we make to /InventoryDetails (webacs/api/v1/data/InventoryDetails) returns 403 - Forbidden.
The same user with the same rights can without issue call webacs/api/v1/data/Devices as before.
The error message returned in the response is:
Access is denied to Prime Infrastructure.
Any thoughts on what might be wrong here?
Are you using an external AAA provider (TACACS for example)? Is it just InventoryDetails that you're having a problem with, or are you experiencing the same issue with other public API resources? What type of user are you using to query the API (root, Super, NBI Read)?
We are using an external provider (TACACS+) for login.
We are only quering /Devices and /InventoryDetails for now, the script I have to scrape the general inventory (/Devices) works as before, whereas what I use to scrape the network topology (/InventoryDetails) fails. I have verified it by hand using PowerShell and browsing to the API endpoint directly in Chrome.
The user is a member of "NBI Read".
The user is able to read the information (CDP Neighbors) when browsed via the WebGui.
Can you double check your ACS shell profile and authorization config? Your shell profile should look something like this
You might also want to check the reporting section on your ACS server. Specifically, the TACACS Authentication report. Click the details button of one of your most recent API sessions and ensure that the selected shell profile listed matches your expectations.
There is an explicit privilege grant in the system for the Devices API for a broad set of users, so it's likely that you're granted access to Devices based on that privilege.
Let me know if that works or not