Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2093
Views
6
Helpful
7
Replies

DNAC USER ROLE FOR API SITE OPERATIONS

evanm
Level 1
Level 1

‎11-30-2022 02:48 PM - edited ‎11-30-2022 03:15 PM

Hello Community,

I am running into an issue where I can't seem to query the API for SiteID information. I tested the snippet of code below without issues on our test server but it fails on our production system with an error about role permission. 

ERROR:

 

 

 

 

>>> print(response.json())
{'message': 'Role does not have valid permissions to access the API'}

 

 

 

 

CODE:

 

 

 

 

AUTH_URL = '/dna/system/api/v1/auth/token'
BASE_URL = 'https://10.x.x.x'
USERNAME = 'xxx'
PASSWORD = 'xxx'

response = requests.post(BASE_URL + AUTH_URL, auth=HTTPBasicAuth(USERNAME, PASSWORD), verify=False)
token = response.json()['Token']
headers = {'X-Auth-Token': token, 'Content-Type': 'application/json'}

SITE_COUNT_URL = '/dna/intent/api/v1/site/count'
response = requests.get(BASE_URL + SITE_COUNT_URL, headers=headers, verify=False)
print(response.json()['response'])
breakpoint()

 

 

 

 

The difference in roles is that I am being assigned "NETWORK-OPERATIONS" role for production and "SUPER-ADMIN-ROLE" for the lab. I understand a custom RBAC will be required but unsure what permissions I need to request exactly following RBAC Roles 

Can someone please shed some light on the best approach for me to be granted the appropriate permission to perform site operations? API SITE OPRERATIONS 

Thanks in advance.

-E

Labels:
0 Helpful
7 Replies 7

PabMar
Cisco Employee
Cisco Employee

‎12-01-2022 01:35 AM

Hello,

You will either need super-admin role, or need to create a New custom Role with API access under System - Users & Roles.

 

PabMar_1-1669887307892.png

 

PabMar_0-1669887294676.png

Hope that helps.

Regards.

evanm
Level 1
Level 1
In response to PabMar

‎12-01-2022 03:43 PM

Thanks PabMar. I suspect that I will need additional permissions on top of the APIs RBAC option. I currently have API access but limited in terms of which type of operation can be performed. I will request our provisioning team to look into my access further as I doubt they will allow full admin rights on our DNAC server. I'll ensure to post back the final solution.

Regards.

0 Helpful

omba
Level 1
Level 1

‎05-29-2024 05:49 AM

Hello @evanm ,

Did you have a solution? I am also getting the same error. 

"Role does not have valid permissions to access the API"... Similar config as yourself, I also followed @aradford advice on https://community.cisco.com/t5/networking-blogs/authenticating-rest-api-calls-to-dnac-getting-started/bc-p/3678811/highlight/true#M365 and I still have the same issue.

I am trying to post a node to the Catalyst Center.

0 Helpful

maflesch
Cisco Employee
Cisco Employee
In response to omba

‎05-30-2024 08:55 AM

Hi Omba. What type of admin user are you using for the APIs? Is it an external user, local user, the "admin" username? If it isn't admin, what role is specified for the user?

0 Helpful

omba
Level 1
Level 1
In response to maflesch

‎05-30-2024 09:09 AM

Hello Maflesch,

Thank you for your response.
I use the "devnetuser", "Cisco123!" credentials. My role is Role: "OBSERVER-ROLE"

Please how do I change my role?
0 Helpful

maflesch
Cisco Employee
Cisco Employee
In response to omba

‎05-30-2024 12:36 PM

This most likely the issue. If this is a local user, then you would go to Menu → System → Users and Roles, then edit the user and change the role.

If this is an external user, then you would have to change the role defined in the shell profile for that user in your AAA server.
0 Helpful

omba
Level 1
Level 1
In response to maflesch

‎05-30-2024 01:16 PM

Hello Maflesch,

I am a regular user studying for my ENAUTO 300 - 435 Exams. I intend to use the Catalyst Center to practice with interacting APIs.

Please can you forgive this silly question, but where is my AAA server? Also, I came across a comment by a member of the community (bigEvilBeard) where he said that there are no ALWAYS ON Sandboxes that allow Post requests. Is this true?

0 Helpful
Top