cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1416
Views
6
Helpful
7
Replies

DNAC USER ROLE FOR API SITE OPERATIONS

evanm
Level 1
Level 1

Hello Community,

I am running into an issue where I can't seem to query the API for SiteID information. I tested the snippet of code below without issues on our test server but it fails on our production system with an error about role permission. 

ERROR:

 

 

 

 

>>> print(response.json())
{'message': 'Role does not have valid permissions to access the API'}

 

 

 

 

CODE:

 

 

 

 

AUTH_URL = '/dna/system/api/v1/auth/token'
BASE_URL = 'https://10.x.x.x'
USERNAME = 'xxx'
PASSWORD = 'xxx'

response = requests.post(BASE_URL + AUTH_URL, auth=HTTPBasicAuth(USERNAME, PASSWORD), verify=False)
token = response.json()['Token']
headers = {'X-Auth-Token': token, 'Content-Type': 'application/json'}

SITE_COUNT_URL = '/dna/intent/api/v1/site/count'
response = requests.get(BASE_URL + SITE_COUNT_URL, headers=headers, verify=False)
print(response.json()['response'])
breakpoint()

 

 

 

 

The difference in roles is that I am being assigned "NETWORK-OPERATIONS" role for production and "SUPER-ADMIN-ROLE" for the lab. I understand a custom RBAC will be required but unsure what permissions I need to request exactly following RBAC Roles 

Can someone please shed some light on the best approach for me to be granted the appropriate permission to perform site operations? API SITE OPRERATIONS 

Thanks in advance.

-E

7 Replies 7

PabMar
Cisco Employee
Cisco Employee

Hello,

You will either need super-admin role, or need to create a New custom Role with API access under System - Users & Roles.

 

PabMar_1-1669887307892.png

 

PabMar_0-1669887294676.png

Hope that helps.

Regards.

Thanks PabMar. I suspect that I will need additional permissions on top of the APIs RBAC option. I currently have API access but limited in terms of which type of operation can be performed. I will request our provisioning team to look into my access further as I doubt they will allow full admin rights on our DNAC server. I'll ensure to post back the final solution.

Regards.

omba
Level 1
Level 1

Hello @evanm ,

Did you have a solution? I am also getting the same error. 

"Role does not have valid permissions to access the API"... Similar config as yourself, I also followed @aradford advice on https://community.cisco.com/t5/networking-blogs/authenticating-rest-api-calls-to-dnac-getting-started/bc-p/3678811/highlight/true#M365 and I still have the same issue.

I am trying to post a node to the Catalyst Center.

maflesch
Cisco Employee
Cisco Employee

Hi Omba. What type of admin user are you using for the APIs? Is it an external user, local user, the "admin" username? If it isn't admin, what role is specified for the user?

Hello Maflesch,

Thank you for your response.
I use the "devnetuser", "Cisco123!" credentials. My role is Role: "OBSERVER-ROLE"

Please how do I change my role?

maflesch
Cisco Employee
Cisco Employee
This most likely the issue. If this is a local user, then you would go to Menu → System → Users and Roles, then edit the user and change the role.

If this is an external user, then you would have to change the role defined in the shell profile for that user in your AAA server.

Hello Maflesch,

I am a regular user studying for my ENAUTO 300 - 435 Exams. I intend to use the Catalyst Center to practice with interacting APIs.

Please can you forgive this silly question, but where is my AAA server? Also, I came across a comment by a member of the community (bigEvilBeard) where he said that there are no ALWAYS ON Sandboxes that allow Post requests. Is this true?

Review Cisco Networking for a $25 gift card