DNAC USER ROLE FOR API SITE OPERATIONS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2022 02:48 PM - edited 11-30-2022 03:15 PM
Hello Community,
I am running into an issue where I can't seem to query the API for SiteID information. I tested the snippet of code below without issues on our test server but it fails on our production system with an error about role permission.
ERROR:
>>> print(response.json())
{'message': 'Role does not have valid permissions to access the API'}
CODE:
AUTH_URL = '/dna/system/api/v1/auth/token'
BASE_URL = 'https://10.x.x.x'
USERNAME = 'xxx'
PASSWORD = 'xxx'
response = requests.post(BASE_URL + AUTH_URL, auth=HTTPBasicAuth(USERNAME, PASSWORD), verify=False)
token = response.json()['Token']
headers = {'X-Auth-Token': token, 'Content-Type': 'application/json'}
SITE_COUNT_URL = '/dna/intent/api/v1/site/count'
response = requests.get(BASE_URL + SITE_COUNT_URL, headers=headers, verify=False)
print(response.json()['response'])
breakpoint()
The difference in roles is that I am being assigned "NETWORK-OPERATIONS" role for production and "SUPER-ADMIN-ROLE" for the lab. I understand a custom RBAC will be required but unsure what permissions I need to request exactly following RBAC Roles
Can someone please shed some light on the best approach for me to be granted the appropriate permission to perform site operations? API SITE OPRERATIONS
Thanks in advance.
-E
- Labels:
-
Cisco DNA Automation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2022 01:35 AM
Hello,
You will either need super-admin role, or need to create a New custom Role with API access under System - Users & Roles.
Hope that helps.
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2022 03:43 PM
Thanks PabMar. I suspect that I will need additional permissions on top of the APIs RBAC option. I currently have API access but limited in terms of which type of operation can be performed. I will request our provisioning team to look into my access further as I doubt they will allow full admin rights on our DNAC server. I'll ensure to post back the final solution.
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2024 05:49 AM
Hello @evanm ,
Did you have a solution? I am also getting the same error.
"Role does not have valid permissions to access the API"... Similar config as yourself, I also followed @aradford advice on https://community.cisco.com/t5/networking-blogs/authenticating-rest-api-calls-to-dnac-getting-started/bc-p/3678811/highlight/true#M365 and I still have the same issue.
I am trying to post a node to the Catalyst Center.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2024 08:55 AM
Hi Omba. What type of admin user are you using for the APIs? Is it an external user, local user, the "admin" username? If it isn't admin, what role is specified for the user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2024 09:09 AM
Thank you for your response.
I use the "devnetuser", "Cisco123!" credentials. My role is Role: "OBSERVER-ROLE"
Please how do I change my role?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2024 12:36 PM
If this is an external user, then you would have to change the role defined in the shell profile for that user in your AAA server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2024 01:16 PM
Hello Maflesch,
I am a regular user studying for my ENAUTO 300 - 435 Exams. I intend to use the Catalyst Center to practice with interacting APIs.
Please can you forgive this silly question, but where is my AAA server? Also, I came across a comment by a member of the community (bigEvilBeard) where he said that there are no ALWAYS ON Sandboxes that allow Post requests. Is this true?
