DNAC USER ROLE FOR API SITE OPERATIONS

evanm · ‎11-30-2022

Hello Community,

I am running into an issue where I can't seem to query the API for SiteID information. I tested the snippet of code below without issues on our test server but it fails on our production system with an error about role permission.

ERROR:

>>> print(response.json())
{'message': 'Role does not have valid permissions to access the API'}

CODE:

AUTH_URL = '/dna/system/api/v1/auth/token'
BASE_URL = 'https://10.x.x.x'
USERNAME = 'xxx'
PASSWORD = 'xxx'

response = requests.post(BASE_URL + AUTH_URL, auth=HTTPBasicAuth(USERNAME, PASSWORD), verify=False)
token = response.json()['Token']
headers = {'X-Auth-Token': token, 'Content-Type': 'application/json'}

SITE_COUNT_URL = '/dna/intent/api/v1/site/count'
response = requests.get(BASE_URL + SITE_COUNT_URL, headers=headers, verify=False)
print(response.json()['response'])
breakpoint()

The difference in roles is that I am being assigned "NETWORK-OPERATIONS" role for production and "SUPER-ADMIN-ROLE" for the lab. I understand a custom RBAC will be required but unsure what permissions I need to request exactly following RBAC Roles

Can someone please shed some light on the best approach for me to be granted the appropriate permission to perform site operations? API SITE OPRERATIONS

Thanks in advance.

-E

PabMar · ‎12-01-2022

Hello,

You will either need super-admin role, or need to create a New custom Role with API access under System - Users & Roles.

Hope that helps.

Regards.

evanm · ‎12-01-2022

Thanks PabMar. I suspect that I will need additional permissions on top of the APIs RBAC option. I currently have API access but limited in terms of which type of operation can be performed. I will request our provisioning team to look into my access further as I doubt they will allow full admin rights on our DNAC server. I'll ensure to post back the final solution.

Regards.

omba · ‎05-29-2024

Hello @evanm ,

Did you have a solution? I am also getting the same error.

"Role does not have valid permissions to access the API"... Similar config as yourself, I also followed @aradford advice on https://community.cisco.com/t5/networking-blogs/authenticating-rest-api-calls-to-dnac-getting-started/bc-p/3678811/highlight/true#M365 and I still have the same issue.

I am trying to post a node to the Catalyst Center.

maflesch · ‎05-30-2024

Hi Omba. What type of admin user are you using for the APIs? Is it an external user, local user, the "admin" username? If it isn't admin, what role is specified for the user?

omba · ‎05-30-2024

Hello Maflesch,

Thank you for your response.
I use the "devnetuser", "Cisco123!" credentials. My role is Role: "OBSERVER-ROLE"

Please how do I change my role?

maflesch · ‎05-30-2024

This most likely the issue. If this is a local user, then you would go to Menu → System → Users and Roles, then edit the user and change the role.

If this is an external user, then you would have to change the role defined in the shell profile for that user in your AAA server.

omba · ‎05-30-2024

Hello Maflesch,

I am a regular user studying for my ENAUTO 300 - 435 Exams. I intend to use the Catalyst Center to practice with interacting APIs.

Please can you forgive this silly question, but where is my AAA server? Also, I came across a comment by a member of the community (bigEvilBeard) where he said that there are no ALWAYS ON Sandboxes that allow Post requests. Is this true?