cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
7
Helpful
3
Replies

Upgrade to CiscoPrime 3.1 /InventoryDetails always returns access denied?

After upgrading our CiscoPrime to 3.1 (3.1.6 to be exact) from 3.0.4, any calls we make to /InventoryDetails (webacs/api/v1/data/InventoryDetails) returns 403 - Forbidden.

The same user with the same rights can without issue call webacs/api/v1/data/Devices as before.

The error message returned in the response is:

Access is denied to Prime Infrastructure.

Any thoughts on what might be wrong here?

3 REPLIES 3
Highlighted
Cisco Employee

Re: Upgrade to CiscoPrime 3.1 /InventoryDetails always returns access denied?

Are you using an external AAA provider (TACACS for example)?  Is it just InventoryDetails that you're having a problem with, or are you experiencing the same issue with other public API resources?  What type of user are you using to query the API (root, Super, NBI Read)?

Re: Upgrade to CiscoPrime 3.1 /InventoryDetails always returns access denied?

We are using an external provider (TACACS+) for login.

We are only quering /Devices and /InventoryDetails for now, the script I have to scrape the general inventory (/Devices) works as before, whereas what I use to scrape the network topology (/InventoryDetails) fails. I have verified it by hand using PowerShell and browsing to the API endpoint directly in Chrome.

The user is a member of "NBI Read".

The user is able to read the information (CDP Neighbors) when browsed via the WebGui.

Cisco Employee

Re: Upgrade to CiscoPrime 3.1 /InventoryDetails always returns access denied?

Can you double check your ACS shell profile and authorization config?  Your shell profile should look something like this

role0=NBI Read

task0=NBIReadPrivilege

virtual-domain0=ROOT-DOMAIN

You might also want to check the reporting section on your ACS server.  Specifically, the TACACS Authentication report.  Click the details button of one of your most recent API sessions and ensure that the selected shell profile listed matches your expectations.

There is an explicit privilege grant in the system for the Devices API for a broad set of users, so it's likely that you're granted access to Devices based on that privilege.

Let me know if that works or not

Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.